Proxy calculation system, proxy calculation method, proxy calculation requesting apparatus, and proxy calculation program and recording medium therefor

ABSTRACT

A function f(x) is calculated with a calculating apparatus that makes a correct calculation with a low probability. Provided that G and H are cyclic groups, f is a function that maps an element x of the group H into the group G, X 1  and X 2  are random variables whose values are elements of the group G, x 1  is a realized value of the random variable X 1 , and x 2  is a realized value of the random variable X 2 , an integer calculation part calculates integers a′ and b′ that satisfy a relation a′a+b′b=1 using two natural numbers a and b that are relatively prime. A first randomizable sampler is capable of calculating f(x) b x 1  and designates the calculation result as u. A first exponentiation part calculates u′=u a . A second randomizable sampler is capable of calculating f(x) a x 2  and designates the calculation result as v. A second exponentiation part calculates v′=v b . A determining part determines whether u′=v′ or not. A final calculation part calculates u b′ v a′  in a case where it is determined that u′=v′.

TECHNICAL FIELD

The present invention relates to a calculation technique by means of acomputer. In particular, it relates to a technique of performing acalculation using the result of a calculation performed by anothercalculator.

BACKGROUND ART

An art for a requesting apparatus to request a calculating apparatusthat does not always make a correct calculation to perform a calculationand calculate a function f using the result of the calculation isdescribed in Non-patent literature 1. The self-corrector described inNon-patent literature 1 calculates the function f by requesting thecalculating apparatus to perform the calculation a plurality of timesand adopting the calculation result by majority decision (see Non-patentliterature 1, for example).

PRIOR ART LITERATURE

Non-Patent Literature

-   Non-patent literature 1: M. Blum, M. Luby, and R. Rubinfeld,    “Self-Testing/Correcting with Applications to Numerical Problems”,    STOC 1990, pp. 73-83.

DISCLOSURE OF THE INVENTION Problems to be Solved by the Invention

However, in order for the self-corrector described in Non-patentliterature 1 to properly operate, the calculating apparatus has to makea correct calculation with a probability equal to or higher than acertain level. There is a problem in that there is no known art ofcalculating a function f with a calculating apparatus that makes acorrect calculation with a low probability.

Means to Solve the Problems

A proxy calculation system according to a first aspect of the presentinvention comprises: an integer calculation part that calculatesintegers a′ and b′ that satisfy a relation a′a+b′b=1 using two naturalnumbers a and b that are relatively prime; a first randomizable samplerthat is capable of calculating f(x)^(b)x₁ and designates the calculationresult as u; a first exponentiation part that calculates u′=u^(a); asecond randomizable sampler that is capable of calculating f(x)^(a)x₂and designates the calculation result as v; a second exponentiation partthat calculates v′=v^(b); a determining part that determines whetheru′=v′ or not; and a final calculation part that calculates u^(b′)v^(a′)in a case where it is determined that u′=v′, where G and H are cyclicgroups, f is a function that maps an element x of the group H into thegroup G, X₁ and X₂ are random variables whose values are elements of thegroup G, x₁ is a realized value of the random variable X₁, and x₂ is arealized value of the random variable X₂.

In a proxy calculation system according to a second aspect of thepresent invention, a requesting apparatus comprises: a first randomnumber generating part that generates a random number r₁ that is aninteger equal to or greater than 0 and smaller than K_(G); a secondrandom number generating part that generates a random number r₂ that isan integer equal to or greater than 0 and smaller than K_(H); a firstinput information calculating part that calculates first inputinformation g₁=μ_(g) ^(r1)g; a second input information calculating partthat calculates second input information h₁=μ_(h) ^(r2); a first listinformation calculating part that calculates z₁ν^(−r1r2) using z₁εFreceived from a calculating apparatus; a first list storage part thatstores an information set (r₂, z₁ν^(−r1r2)) composed of the randomnumber r₂ and the calculated z₁ν^(−r1r2); a third random numbergenerating part that generates a uniform random number d₁ that is aninteger equal to or greater than 0 and smaller than K; a fourth randomnumber generating part that generates a uniform random number r₄ that isan integer equal to or greater than 0 and smaller than K_(G); a fifthrandom number generating part that generates a uniform random number r₅that is an integer equal to or greater than 0 and smaller than K_(H); athird input information calculating part that calculates third inputinformation g₂=μ_(g) ^(r4)g^(d1); a fourth input information calculatingpart that calculates fourth input information h₂=μ_(h) ^(r5); a secondlist information calculating part that calculates z₂ν^(−r4r5) using z₂εFreceived from the calculating apparatus; a second list storage part thatstores an information set (d₁, r₅, z₂ν^(−r4r5)) composed of d₁, r₅ andthe calculated z₂ν^(−r4r5); a first determining part that determineswhether or not the information set read from the first list storage partand the information set read from the second list storage part satisfy arelation (w₁)̂(t₂s₂s₁ ⁻¹)=w₂, and substitutes s₁ for a and w₁ for ν′ in acase where the relation is satisfied, where s₁ and w₁ are a firstcomponent and a second component of the information set read from thefirst list storage part, respectively, and t₂, s₂ and w₂ are a firstcomponent, a second component and a third component of the informationset read from the second list storage part, respectively; a sixth randomnumber generating part that generates a uniform random number r₆ that isan integer equal to or greater than 0 and smaller than K_(G); a seventhrandom number generating part that generates a uniform random number r₇that is an integer equal to or greater than 0 and smaller than K_(H); afifth input information calculating part that calculates fifth inputinformation g₃=g^(r6); a sixth input information calculating part thatcalculates sixth input information h₃=μ_(h) ^(r7σ)h; a third listinformation calculating part that calculates z₃ν′^(−r6r7) using z₃εFreceived from the calculating apparatus; a third list storage part thatstores an information set (r₆, z₃ν′^(−r6r7)) composed of r₆ and thecalculated z₃ν′^(−r6r7); an eighth random number generating part thatgenerates a uniform random number d₂ that is an integer equal to orgreater than 0 and smaller than K; a ninth random number generating partthat generates a uniform random number r₉ that is an integer equal to orgreater than 0 and smaller than K_(G); a tenth random number generatingpart that generates a uniform random number r₁₀, that is an integerequal to or greater than 0 and smaller than K_(H); a seventh inputinformation calculating part that calculates seventh input informationg₄=μ_(g) ^(r9); an eighth input information calculating part thatcalculates eighth input information h₄=μ_(h) ^(r10σ)h^(d2); a fourthlist information calculating part that calculates z₄ν′^(−r9r10) usingz₄εF received from the calculating apparatus; a fourth list storage partthat stores an information set (d₂, r₉, z₄ν′^(−r9r10)) composed of d₂,r₉ and the calculated z₄ν′^(−r9r10); and a second determining part thatdetermines whether or not the information set read from the third liststorage part and the information set read from the fourth list storagepart satisfy a relation (w₃)̂(t₄s₄s₃ ⁻¹)=w₄, and outputs (w₃)̂(s₃ ⁻¹) in acase where the relation is satisfied, where s₃ and w₃ are a firstcomponent and a second component of the information set read from thethird list storage part, respectively, and t₄, s₄ and w₄ are a firstcomponent, a second component and a third component of the informationset read from the fourth list storage part, respectively, where G; H andF are cyclic groups, a map θ: G×H→F is a bi-homomorphism, g is anelement of the group G, h is an element of the group H, K_(G) is anorder of the group G, K_(H) is an order of the group H, μ_(g) is agenerator of the group G, μ_(h) is a generator of the group H,ν=θ(μ_(g), μ_(g)), k is a security parameter that is a natural number,and K=2^(k). The calculating apparatus comprises: a first outputinformation calculating part that is capable of calculating θ(g₁, h₁)using g₁ and h₁ received from the requesting apparatus and outputs thecalculation result as z₁; a second output information calculating partthat is capable of calculating θ(g₂, h₂) using g₂ and h₂ received fromthe requesting apparatus and outputs the calculation result as z₂; athird output information calculating part that is capable of calculatingθ(g₃, h₃) using g₃ and h₃ received from the requesting apparatus andoutputs the calculation result as z₃; and a fourth output informationcalculating part that is capable of calculating θ(g₄, h₄) using g₄ andh₄ received from the requesting apparatus and outputs the calculationresult as z₄.

Effects of the Invention

A calculating apparatus that makes a correct calculation with a lowprobability can be used to calculate a function f.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a functional block diagram showing an example of a proxycalculation system according to first to third embodiments;

FIG. 2 is a functional block diagram showing an example of a requestingapparatus and a calculating apparatus according to the first to thirdembodiments;

FIG. 3 is a functional block diagram showing an example of a sampleraccording to the first to third embodiments;

FIG. 4 is a functional block diagram showing an example of a firstrandomizable sampler and a second randomizable sampler according to thefirst to third embodiments;

FIG. 5 is a functional block diagram showing another example of thefirst randomizable sampler and the second randomizable sampler accordingto the first to third embodiments;

FIG. 6 is a flowchart showing an example of a proxy calculation methodaccording to the first to third embodiments;

FIG. 7 is a flowchart showing an example of Step S3;

FIG. 8 is a flowchart showing an example of Step S6;

FIG. 9 is a flowchart showing another example of Step S3;

FIG. 10 is a flowchart showing another example of Step S6;

FIG. 11 is a functional block diagram showing an example of a proxycalculation system according to fourth to tenth embodiments;

FIG. 12 is a functional block diagram showing an example of a requestingapparatus according to the fourth to tenth embodiments;

FIG. 13 is a functional block diagram showing an example of therequesting apparatus according to the fourth to tenth embodiments;

FIG. 14 is a functional block diagram showing an example of acalculating apparatus according to the fourth to tenth embodiments;

FIG. 15 is a flowchart showing an example of a proxy calculation methodaccording to the fourth to tenth embodiments;

FIG. 16 is a flowchart showing the example of the proxy calculationmethod according to the fourth to tenth embodiments; and

FIG. 17 is a functional block diagram showing a modification of theproxy calculation system.

DETAILED DESCRIPTION OF THE EMBODIMENTS

In the following, proxy calculation systems and proxy calculationmethods according to embodiments of the present invention will bedescribed in detail.

According to a first and a second embodiment, a function f(x) iscalculated using the result of a calculation performed by a calculatingapparatus 2 in response to a request from a requesting apparatus 1.

First Embodiment

A proxy calculation system according to the first embodiment comprisesthe requesting apparatus 1 and the calculating apparatus 2 asillustrated in FIG. 1, and calculates the function f(x) using the resultof a calculation performed by the calculating apparatus 2 in response toa request from the requesting apparatus 1.

As shown in FIG. 2, the requesting apparatus 1 comprises a naturalnumber storage part 11, an integer calculation part 12, a firstexponentiation part 13, a first list storage part 14, a determining part15, a second exponentiation part 16, a second list storage part 17, acontrol part 18, and a final calculation part 19, for example. Thecalculating apparatus 2 comprises a first randomizable sampler 21 and asecond randomizable sampler 22, for example. According to the firstembodiment, the first randomizable sampler 21 and the secondrandomizable sampler 22 correspond to the calculating apparatus 2.

It is supposed that G and H denote cyclic groups, the function f: H→G isa function that maps an element x of the group H into the group G; μ_(g)and μ_(h) denote the generators of the groups G and H, respectively, X₁and X₂ denote random variables whose values are elements of the group G,x₁ denotes a realized value of the random variable X₁, and x₂ denotes arealized value of the random variable X₂.

It is assumed that the natural number storage part 11 stores a pluralityof pairs (a, b) of natural numbers a and b that are relatively prime.Provided that I denotes a set of pairs of relatively prime naturalnumbers smaller than the order of the group G, it can be considered thatthe natural number storage part 11 stores sets (a, b) of natural numbersa and b that correspond to a subset S of the set I.

The integer calculation part 12 randomly reads in one set (a, b) ofnatural numbers from the plurality of sets (a, b) of natural numbersstored in the natural number storage part 11, and calculates integers a′and b′ that satisfy a relation a′a+b′b=1 using the read-in set (a, b) ofnatural numbers (Step S1). Since the natural numbers a and b arerelatively prime, the integers a′ and b′ that satisfy the relationa′a+b′b=1 exist without fail. Information on the set (a, b) of naturalnumbers is transmitted to the first exponentiation part 13, the secondexponentiation part 16, the first randomizable sampler 21 and the secondrandomizable sampler 22. Information on the set (a′, b′) of integers istransmitted to the final calculation part 19.

The control part 18 assumes that t=1 (Step S2).

The first randomizable sampler 21 is capable of calculating f(x)^(b)x₁and performs the calculation using x and b, and the calculation resultis denoted by u (Step S3). The calculation result u is transmitted tothe first exponentiation part 13.

In this application, the expression “be capable of calculating” meansthat a calculation is possible with a probability equal to or higherthan a non-negligible probability. The expression “non-negligibleprobability” means a probability equal to or higher than 1/F(k), whereF(k) denotes a polynomial that is a monotone function of a securityparameter k in a broad sense.

To calculate f(x)^(b)x₁ means to calculate the value of the formuladefined as f(x)^(b)x₁. Any calculation process can be used as far as thevalue of the formula f(x)^(b)x₁ can be finally calculated. The sameholds true for calculation of any other formulas found in thisapplication.

The first exponentiation part 13 calculates u′=u^(a) (Step S4). The set(u, u′) of the calculation result u and u′ calculated based on thecalculation result is stored in the first list storage part 14.

The determining part 15 determines whether or not there are values u′and v′ that satisfy a relation u′=v′ in the sets (u, u′) stored in thefirst list storage part 14 and sets (v, v′) stored in the second liststorage part 17 (Step S5). If the second list storage part 17 stores noset (v, v′), the processing of Step S5 is omitted, and the processproceeds to the processing of the following Step S6. If there are valuesthat satisfy the relation u′=v′, the process proceeds to Step S12. Ifthere are no values that satisfy the relation u′=v′, the processproceeds to Step S6.

The second randomizable sampler 22 is capable of calculating f(x)^(a)x₂and performs the calculation using x and a, and the calculation resultis denoted by v (Step S6). The calculation result v is transmitted tothe second exponentiation part 16.

The second exponentiation part 16 calculates v′=v^(b) (Step S7). The set(v, v′) of the calculation result v and v′ calculated based on thecalculation result is stored in the second list storage part 17.

The determining part 15 determines whether or not there are values u′and v′ that satisfy the relation u′=v′ in the sets (u, u′) stored in thefirst list storage part 14 and the sets (v, v′) stored in the secondlist storage part 17 (Step S8). If there are values that satisfy therelation u′=v′, the process proceeds to Step 12. If there are no valuesthat satisfy the relation u′=v′, the process proceeds to Step S9.

The control part 18 determines whether or not t=T (Step S9). T denotes apredetermined natural number. If t=T, information that the calculationis impossible, such as a symbol “⊥”, is output (Step S11), and theprocess ends. If t≠T, the control part 18 increments t by 1 (t=t+1)(Step S10), and the process returns to Step S3.

The information that the calculation is impossible (the symbol “⊥” inthis example) means that the calculation reliability of the calculatingapparatus 2 is lower than a reference determined by T. In other words,it means that the T repeated calculations have failed.

When it is determined that there are values u′ and v′ that satisfy therelation u′=v′, the final calculation part 19 calculates u^(b′) andv^(a′) using u and v corresponding to the values u′ and v′ and outputsthe values u^(b′) and v^(a′) (step S12). The calculated u^(b′) andv^(a′) satisfy a relation u^(b′)v^(a′=f(x). A reason why the relation u)^(b′)v^(a′)=f(x) holds will be described below.

<<Reason why u^(b′)v^(a′)=f(x) Holds>>

It is assumed that X denotes a random variable whose value is an elementof the group G. An entity in a calculating apparatus that extracts asample x′ according to a random variable R and transmits back wx′ wherewεG in response to each request is referred to as a sampler with anerror X for an element w.

An entity in a calculating apparatus that extracts a sample x′ accordingto a random variable X and transmits back wax′x′ where wεG in responseto each input of a natural number a is referred to as a randomizablesampler with an error X for an element w. The randomizable sample usedon the assumption that a=1 serves as a sampler.

Configured to receive x and output f(x), the proxy calculation systemaccording to this embodiment uses the first randomizable sampler 21 withan error X₁ for f(x) and the second randomizable sampler 22 with anerror X₂ for f(x).

The inventor has found that the relation u′=v′, that is, the relationu^(a)=v^(b) is highly likely to hold when the first randomizable sampler21 correctly calculates u=f(x)^(b)x₁, the second randomizable sampler 22correctly calculates v=f(x)^(a)x₂, and x₁ and x₂ are unit elements e_(g)of the group G. The proof is omitted herein.

When the first randomizable sampler 21 correctly calculatesu=f(x)^(b)x₁, the second randomizable sampler 22 correctly calculatesv=f(x)^(a)x₂, and x₁ and x₂ are unit elements e_(g) of the group G, thefollowing relation holds:

u ^(b′) v ^(a′)=(f(x)^(b) x ₁)^(b′)(f(x)^(b) e _(g))^(b′)=(f(x)^(b) e_(g))^(b′)(f(x)^(a) e _(g))^(a′) =f(x)^(bb′) e _(g) ^(b′) f(x)^(aa′) e_(g) ^(a′) =f(x)^((bb′+aa′)) =f(x).

A function π_(i) for each i (=1, 2) is defined as π_(i)(q₁, q₂)=q_(h),where (q1, q2)εI. Besides, it is assumed that L=min(#π₁(S), #π₂(S)). Thesymbol #• denotes the order of a group •. When the group G is a cyclicgroup, or the order of the group G is difficult to calculate, theprobability of the output of the proxy calculation system describedabove not being f(x) when the output is not the symbol “⊥” is expectedto be of the order, at the most, of T²L/#S with a negligible error. IfL/#S is negligible, and T is of the order of the polynomial order, theproxy calculation system outputs f(x) with an overwhelmingly highprobability.

An example of the value of S that makes L/#S negligible is S={(1,d)|dε[2, |G|−1]}.

As shown by a dashed line in FIG. 2, the calculating apparatus 2 mayfurther comprises a sampler 23. The sampler 23 is capable of calculatingf(x)x₃, where X₃ is a random variable whose value is an element of thegroup G, and x₃ denotes a realized value of the random variable X₃, andperforms the calculation instead of the second randomizable sampler 22and designates the calculation result as v described above when a=1, andperforms the calculation instead of the first randomizable sampler 21and designates the calculation result as u described above when b=1.

In general, the calculation amount of the sampler is smaller than thatof the randomizable sampler. If a=1, and b=1, the calculation amount ofthe calculating apparatus 2 can be reduced by using the sampler 23 forcalculation instead of the first randomizable sampler 21 and the secondrandomizable sampler 22.

Second Embodiment

The second embodiment relates to another specific example of the firstrandomizable sampler 21 and the second randomizable sampler 22 of theproxy calculation system, or in other words, another specific example ofSteps S3 and S6. The following description will be mainly focused ondifferences from the first embodiment, and redundant description ofcommon things will be omitted.

As shown in FIG. 3, the first randomizable sampler 21 according to thesecond embodiment comprises a first random number generating part 110, afirst input information calculating part 111, a first output informationcalculating part 24, and a first calculating part 112, for example. Asshown in FIG. 3, the second randomizable sampler 22 according to thesecond embodiment comprises a second random number generating part 113,a second input information calculating part 114, a second outputinformation calculating part 25, and a second calculating part 115, forexample.

According to the second embodiment, the first random number generatingpart 110, the first input information calculating part 111, the firstcalculating part 112, the second random number generating part 113, thesecond input information calculating part 114 and the second calculatingpart 115 are included in the requesting apparatus 1. The first outputinformation calculating part 24 and the second output informationcalculating part 25 are included in the calculating apparatus 2.According to the second embodiment, the first output informationcalculating part 24 and the second output information calculating part25 correspond to the calculating apparatus 2.

According to the second embodiment, the function f is a homomorphism.The generator of the group H is denoted by μ_(h), the order of the groupH is denoted by K_(H), and ν=f(μ_(h)).

Step S3 is composed of Steps S31 to S34 illustrated in FIG. 7.

The first random number generating part 110 generates a uniform randomnumber r₁ that is an integer equal to or greater than 0 and smaller thanK_(H) (Step S31). The generated random number r₁ is transmitted to thefirst input information calculating part 111.

The first input information calculating part 111 calculates first inputinformation μ_(h) ^(r1)x^(b) (Step S32). The calculated first inputinformation μ_(h) ^(r1)x^(b) is transmitted to the first outputinformation calculating part 24.

The first output information calculating part 24 performs a calculationusing the first input information μ_(h) ^(r1)x^(b) and designates thecalculation result as first output information, z₁ (Step S33). Thecalculated first output information z₁ is transmitted to the firstcalculating part 112.

The first output information calculating part 24 is capable ofcalculating f(μ_(h) ^(r1)x^(b)). The result of the calculation performedby the first output information calculating part 24 may be or may not bef(μ_(h) ^(r1)x^(b)).

The superscript “r₁” of μ_(h) means r₁. In this way, in thisapplication, in an expression α^(βγ) where a denotes a first character,β denotes a second character and γ denotes a numeral, βγ means β_(γ),that is, γ is a subscript of β.

The first calculating part 112 calculates z₁ν^(−r1) and designates thecalculation result as u (Step S34). The calculation result u istransmitted to the first exponentiation part 13. Note thatu=z₁ν^(−r1)=f(x)^(b)x₁. That is, z₁ν^(−r1) is a randomizable samplerwith an error X₁ for f(x). A reason therefor will be described later.

Step S6 is composed of Steps S61 to S64 illustrated in FIG. 8.

The second random number generating part 113 generates a uniform randomnumber r₂ that is an integer equal to or greater than 0 and smaller thanK_(H) (Step S61). The generated random number r₂ is transmitted to thesecond input information calculating part 114.

The second input information calculating part 114 calculates secondinput information μ_(h) ^(r2)x^(a) (Step S62). The calculated secondinput information μ_(h) ^(r2)x^(a) is transmitted to the second outputinformation calculating part 25.

The second output information calculating part 25 performs a calculationusing the second input information μ_(h) ^(r2)x^(a) and designates thecalculation result as second output information z₂ (Step S63). Thecalculated second output information z₂ is transmitted to the secondcalculating part 115.

The second output information calculating part 25 is capable ofcalculating f(μ_(h) ^(r2)x^(a)). The result of the calculation performedby the second output information calculating part 25 may be or may notbe f(μ_(h) ^(r2)x^(a)).

The second calculating part 115 calculates z₂ν^(−r2) and designates thecalculation result as v (Step S64). The calculation result v istransmitted to the second exponentiation part 16. Note thatv=z₂|^(−r2)=f(x)^(a)x₂. That is, z₂ν^(−r2) is a randomizable samplerwith an error X₂ for f(x). A reason therefor will be described later.

In the second embodiment, if a=1, and b=1, the calculation amount can bereduced by using the sampler 23 for calculation of the value of u or vinstead of the first randomizable sampler 21 and the second randomizablesampler 22.

As shown in FIG. 4, the sampler 23 according to the second embodimentcomprises a third random number generating part 116, a third inputinformation calculating part 117, a third output information calculatingpart 26 and a third calculating part 118, for example. The third randomnumber generating part 116, the third input information calculating part117 and the third calculating part 118 are included in the requestingapparatus 1. The third output information calculating part 26 isincluded in the calculating apparatus 2.

When a=1, and b=1, the sampler 23 performs the following processingsinstead of the first randomizable sampler 21 and the second randomizablesampler 22.

The third random number generating part 116 generates a random number r₃that is an integer equal to or greater than 0 and smaller than K_(H).The generated random number r₃ is transmitted to the third inputinformation calculating part 117.

The third input information calculating part 117 calculates third inputinformation x^(r3). The calculated third input information x^(r3) istransmitted to the third output information calculating part 26.

The third output information calculating part 26 performs a calculationusing the third input information xr³ and designates the calculationresult as third output information z₃. The calculated third outputinformation z₃ is transmitted to the third calculating part 118.

The third output information calculating part 26 is capable ofcalculating f(x^(r3)). The result of the calculation performed by thethird output information calculating part 26 may be or may not bef(x^(r3)).

The third calculating part 118 calculates z₃ ¹⁴³ and designates thecalculation result as v when a=1 or as u when b=1. The calculationresult v is transmitted to the second exponentiation part 16. Thecalculation result u is transmitted to the first exponentiation part 13.Note that u=v=z₃ ^(1/r3)=f(x)x₃. That is, z₃ ^(1/r3) is a sampler withan error X₃ for f(x). A reason therefor will be described later.

When it is difficult to calculate z₃ ^(1/r3), that is, a root of z₃, uand/or v can be calculated in the following manner. The thirdcalculating part 118 stores in a storage part (not shown) a sequence ofsets (α₁, β₁), (α₂, β₂), . . . , (α_(m), β_(m)) of the random numbers r₃and the values z₃ calculated based on the random numbers r₃, where mdenotes a natural number. When the least common multiple of α₁, α₂, . .. , α_(m) is 1, the third calculating part 118 can calculate γ₁, γ₂, . .. and γ_(m) that satisfy a relation γ₁α₁+γ₂α₂+ . . . +γ_(m)α_(m)=1,where γ₁, γ₂, . . . and γ_(m) denote integers, calculate Π_(i=1)^(m)β_(i) ^(γi)=β₁ ^(γ1)β₂ ^(γ2) . . . β_(m) ^(γm), and designate thecalculation result as u and/or v.

Since information on x scrambled with the random numbers r₁, r₂ and r₃in this way is transmitted to the calculating apparatus 2, the value xεHthat is the target of the calculation of the value of the function f canbe concealed from the calculating apparatus 2 and a third partyintercepting the communication between the requesting apparatus 1 andthe calculating apparatus 2.

<<Reason why z₁ν^(−r1) and z₂ν^(−r2) are Randomizable Samplers withErrors X₁ and X₂ for f(x), Respectively>>

It is supposed that c denotes a natural number, R and R′ denote randomnumbers, the result of the calculation performed by the calculatingapparatus 2 using μ_(h) ^(R)x^(c) is denoted as B(μ_(h) ^(R)x^(c) thatis, z=B(μ_(h) ^(R)x^(c)) provided that z is the calculation resultreturned to the requesting apparatus 1 from the calculating apparatus2), and the random variable X whose value is an element of the group Gis defined as X=B(μ_(h) ^(R′))f(μ_(h) ^(R′))⁻¹.

Then, zν^(−R)=B(μ_(h) ^(R)x^(c))f(μ_(h))^(−R)=Xf(μ_(h)^(R)x^(c))f(μ_(h))^(−R)=Xf(μ_(h))^(R)f(μ_(h))^(−R)=f(x)^(c)X. That is,zν^(−R) is a randomizable sampler with an error X for f(x).

In development of the formula described above, properties are used thatX=B(μ_(h) ^(R′))f(μ_(h) ^(R′))⁻¹=B(μ_(h) ^(R)x^(c))⁻¹ and B(μ_(h)^(R)x^(c))=xf(μ_(h) ^(R)x^(c)). These properties are based on the factsthat the function f is a homomorphism, and R and R′ are random numbers.

Therefore, taking into consideration the facts that a and b are naturalnumbers, and r₁ and r₂ are random numbers, z₁ν^(−r1) and z₂ν^(−r2) arerandomizable samplers with errors X₁ and X₂ for f(x), respectively.

<<Reason why z₃ ^(1/r3) is Sampler With Error X₃ for f(x)>>

It is supposed that R and R′ denote random numbers, the result of thecalculation performed by the calculating apparatus 2 using x^(R) isdenoted as B(x^(R)) (that is, z=B(x^(R)) provided that z is thecalculation result returned to the requesting apparatus 1 from thecalculating apparatus 2), and the random variable X whose value is anelement of the group G is defined as X=B(x^(R))^(1/R)f(x)⁻¹.

Then, z^(1/R)=B(x^(R))^(1/R)=Xf(x)=f(x)X. That is, z^(1/R) is a samplerwith an error X for f(x).

In development of the formula described above, properties are used thatX=B(x^(R))^(1/R)f(x^(R))⁻¹ and B(x^(R))^(1/R)=Xf(x^(R)). Theseproperties are based on the fact that R and R′ are random numbers.

Therefore, taking into consideration the fact that r₃ is a randomnumber, Z^(1/R) is a randomizable sampler with an error X₃ for f(x).

Third Embodiment

A third embodiment relates to another specific example of the firstrandomizable sampler 21 and the second randomizable sampler 22 of theproxy calculation system, or in other words, another specific example ofSteps S3 and S6. More specifically, it relates to a specific example ofthe first randomizable sampler 21 and the second randomizable sampler 22in a case where H=G×G and the function f is a decryption function for anElGamal encryption, that is, f(c₁, c₂)=c₁c₂ ^(−s) for a secret key s anda cipher text (c₁, c₂). The following description will be mainly focusedon differences from the first embodiment, and redundant description ofcommon things will be omitted.

As shown in FIG. 5, the first randomizable sampler 21 according to thethird embodiment comprises a fourth random number generating part 119, afifth random number generating part 120, a fourth input informationcalculating part 121, a fifth input information calculating part 122, afourth output information calculating part 27, and a fourth calculatingpart 123, for example. As shown in FIG. 5, the second randomizablesampler 22 comprises a sixth random number generating part 124, aseventh random number generating part 125, a sixth input informationcalculating part 126, a seventh input information calculating part 127,a fifth output information calculating part 28, and a fifth calculatingpart 128, for example.

The fourth random number generating part 119, the fifth random numbergenerating part 120, the fourth input information calculating part 121,the fifth input information calculating part 122, the fourth calculatingpart 123, the sixth random number generating part 124, the seventhrandom number generating part 125, the sixth input informationcalculating part 126, the seventh input information calculating part 127and the fifth calculating part 128 are included in the requestingapparatus 1. According to the third embodiment, the fourth outputinformation calculating part 27 and the fifth output informationcalculating part 28 correspond to the calculating apparatus 2.

According to the third embodiment, it is supposed that x=(c₁, c₂), f(c₁,c₂) is a homomorphism from a direct product group G×G to the group G,the generator of the group G is μ_(g), the order of the group G isK_(G), and the requesting apparatus 1 and the calculating apparatus 2previously have knowledge of a cipher text (V, W)εH and a decrypted textf(V, W)=YεG resulting from decryption of the cipher text for a samesecret key s.

According to the third embodiment, Step S3 is composed of Steps S31′ toS36′ illustrated in FIG. 9.

The fourth random number generating part 119 generates a uniform randomnumber r₄ that is an integer equal to or greater than 0 and smaller thanK_(G) (Step S31′). The generated random number r₄ is transmitted to thefourth input information calculating part 121, the fifth inputinformation calculating part 122 and the fourth calculating part 123.

The fifth random number generating part 120 generates a uniform randomnumber r₅ that is an integer equal to or greater than 0 and smaller thanK_(G) (Step S32′). The generated random number r₅ is transmitted to thefourth input information calculating part 121 and the fourth calculatingpart 123.

The fourth input information calculating part 121 calculates fourthinput information c₁ ^(b)V^(r4)μ_(g) ^(r5) (Step S33′). The calculatedfourth input information c₁ ^(b)V^(r4)μ_(g) ^(r5) is transmitted to thefourth output information calculating part 27.

The fifth input information calculating part 122 calculates fifth inputinformation c₂ ^(b)W^(r4) (Step S34′). The calculated fifth inputinformation c₂ ^(b)W^(r4) is transmitted to the fourth outputinformation calculating part 27.

The fourth output information calculating part 27 performs a calculationusing the fourth input information c₁ ^(b)V^(r4)μ_(g) ^(r5) and thefifth input information c₂ ^(b)W^(r4) and designates the calculationresult as fourth output information z₄ (Step S35′).

The fourth output information calculating part 27 is capable ofcalculating f(c₁ ^(b)V^(r4)μ_(g) ^(r5), c₂ ^(b)W^(r4)). The result ofthe calculation performed by the fourth output information calculatingpart 27 may be or may not be f(c₁ ^(b)μ_(g) ^(r5), c₂ ^(b)W^(r4)).

The fourth calculating part 123 calculates z₄Y^(−r4)μ_(g) ^(−r5) anddesignates the calculation result as u (Step S36′). The calculationresult u is transmitted to the first exponentiation part 13. Note thatu=z₄Y^(−r4)μ_(g) ^(−r5)=f(c₁, c₂)^(b)x₁. That is, z₄Y^(−r4)μ_(g) ^(−r5)is a randomizable sampler with an error X₁ for f(c₁, c₂). A reasontherefor will be described later.

According to the third embodiment, Step S6 is composed of Steps S61′ toS66′ illustrated in FIG. 10.

The sixth random number generating part 124 generates a uniform randomnumber r₆ that is an integer equal to or greater than 0 and smaller thanK_(G) (Step S61′). The generated random number r₆ is transmitted to thesixth input information calculating part 126, the seventh inputinformation calculating part 127 and the fifth calculating part 128.

The seventh random number generating part 125 generates a uniform randomnumber r₇ that is an integer equal to or greater than 0 and smaller thanK_(G) (Step S62′). The generated random number r₇ is transmitted to thesixth input information calculating part 126 and the fifth calculatingpart 128.

The sixth input information calculating part 126 calculates sixth inputinformation c₁ ^(a)V^(r6)μ_(g) ^(r7) (Step S63′). The calculated sixthinput information c₁ ^(a)V^(r6)μ_(g) ^(r7) is transmitted to the fifthoutput information calculating part 28.

The seventh input information calculating part 127 calculates seventhinput information c₂ ^(a)W^(r6) (Step S64′). The calculated seventhinput information c₂ ^(a)W^(r6) is transmitted to the fifth outputinformation calculating part 28.

The fifth output information calculating part 28 performs a calculationusing the sixth input information c₁ ^(a)V^(r6)μ_(g) ^(r7) and theseventh input information c₂ ^(a)W^(r6) and designates the calculationresult as fifth output information z₅ (Step S65′). The calculated fifthoutput information z₅ is transmitted to the fifth calculating part 128.

The fifth output information calculating part 28 is capable ofcalculating f(c₁ ^(a)V^(r6)μ_(g), c₂ ^(a)W^(r6)). The result of thecalculation performed by the fifth output information calculating part28 may be or may not be f(c₁ ^(a)V^(r6)μ_(g), c₂ ^(a)W^(r6)).

The fifth calculating part 128 calculates z₅Y^(−r6)μ_(g) ^(−r7) anddesignates the calculation result as v (Step S66′). The calculationresult v is transmitted to the second exponentiation part 16. Note thatv=z₅Y^(−r6)μ_(g) ^(−r7)=f(c₁, c₂)^(a)x₂. That is, z₅Y^(−r6)μ_(g) ^(−r7)is a randomizable sampler with an error X₂ for f(c₁, c₂). A reasontherefor will be described later.

<<Reason why z₄Y^(−r4)μ_(g) ^(−r5) and z₅Y^(−r6)μ_(g) ^(−r7) areRandomizable Samplers with Errors X₁ and X₂ For f(c₁, c₂),Respectively>>

It is supposed that c denotes a natural number, R₁, R₂, R₁′ and R₂′denote random numbers, the result of the calculation performed by thecalculating apparatus 2 using c₁V^(R1)μ_(g) ^(R2) and c₂ ^(c)W^(R1)) isdenoted as B(c₁ ^(c)V^(R1)μ_(g) ^(R2), c₂ ^(c)W^(R1)) (that is z=B(c₁^(c)V^(R1)μ_(g) ^(R2), c₂ ^(c)W^(R1)) provided that z is the calculationresult returned to the requesting apparatus 1 from the calculatingapparatus 2), and the random variable X whose value is an element of thegroup G is defined as X<B(V^(R1′)μ_(g) ^(R2′), W^(R1′))f(V^(R1′)μ_(g)^(R2′), W^(R1′))⁻¹.

Then, zY^(−R1)μ_(g) ^(−R2)=B(c₁ ^(c)V^(R1)μ_(g) ^(R2),c2^(c)W^(R1))Y^(−−R1)μ_(g) ^(−R2)=Xf(c₁ ^(c)V^(R1)μ_(g) ^(R2), c₂^(c)W^(R1))Y^(−R1)μ_(g) ^(−R2)=Xf(c₁, c₂)^(c)f(μ_(g),e_(g))^(R2)Y^(−R1)μ_(g) ^(−R2)=Xf(c₁, c₂)^(c)Y^(R1)μ_(g)^(R2)Y^(−R1)μ_(g) ^(−R2)=f(c₁, c₂)^(c)X. That is, zY^(−R1)μ_(g) ^(−R2)is a randomizable sampler with an error X for f(x). Note that e_(g) is aunit element of the group G.

In development of the formula described above, properties are used thatX=B(V^(R1′)μ_(g) ^(−2′), W^(R1′))f(V^(R1′)μ_(g) ^(R2′), W^(R1′))⁻¹=B(c₁^(c)V^(R1)μ_(g) ^(R2), c₂ ^(c)W^(R1))f(c₁ ^(c)V^(R1)μ_(g) ^(R2), c₂^(c)W^(R1)) and B(c₁ ^(c)V^(R1)μ_(g) ^(R2), c₂ ^(c)W^(R1))=Xf(c₁^(c)V^(R1)μ_(g) ^(R2), c₂ ^(c)W^(R1)). These properties are based on thefact that R₁, R₂, R₁′ and R₂′ are random numbers.

Therefore, taking into consideration the facts that a and b are naturalnumbers, and r₄, r₅, r₆ and r₇ are random numbers, z₄Y^(−r4)μ_(g) ^(−r5)and z₅Y^(−r6)μ_(g) ^(−r7) are randomizable samplers with errors X₁ andX₂ for f(c₁, c₂), respectively.

Modifications of First to Third Embodiment

The random variables X₁, X₂ and X₃ may be the same or differ from eachother.

When each of the first random number generating part 110, the secondrandom number generating part 113, the third random number generatingpart 116, the fourth random number generating part 119, the fifth randomnumber generating part 120, the sixth random number generating part 124and the seventh random number generating part 125 generates a uniformrandom number, the security of the proxy calculation system is at thehighest level. However, when such a high security level is not required,each of the first random number generating part 110, the second randomnumber generating part 113, the third random number generating part 116,the fourth random number generating part 119, the fifth random numbergenerating part 120, the sixth random number generating part 124 and theseventh random number generating part 125 may generate a random numberthat is not a uniform random number.

In the examples described above, each of the first randomizable sampler21 and the second randomizable sampler 22 is invoked once.Alternatively, in order to reduce the number of communications betweenthe requesting apparatus 1 and the calculating apparatus 2, the firstrandomizable sampler 21 and the second randomizable sampler 22 may beinvoked a plurality of times for the same values of a and b to allow therequesting apparatus 1 to acquire a plurality of values of u and v inone communication.

The first randomizable sampler 21, the second randomizable sampler 22and the sampler 23 may be provided in the requesting apparatus 1 or thecalculating apparatus 2. In other words, all these components may beprovided in the calculating apparatus 2 as shown in the firstembodiment, or some of these components may be provided in therequesting apparatus 1, and the others may be provided in thecalculating apparatus 2 as shown in the second and third embodiments,for example.

The parts of the requesting apparatus 1 may exchange data directly orvia a storage part (not shown). Similarly, the parts of the calculatingapparatus 2 may exchange data directly or via a storage part (notshown).

Each of the requesting apparatus 1 and the calculating apparatus 2 canbe implemented by a computer. In this case, specific processings of thefunctions that the apparatus has to have are described in a program. Thecomputer executes the program, thereby implementing each processingfunction of the apparatus.

The program that describes the specific processings can be recorded in acomputer-readable recording medium. As an alternative to using acomputer that executes a predetermined program to provide theseapparatuses, at least part of these specific processings may beimplemented in a hardware form.

Fourth Embodiment

According to fourth to tenth embodiments, θ(g, h) is calculated usingthe result of a calculation performed by a calculating apparatus 2′ inresponse to a request from a requesting apparatus 1′.

As illustrated in FIG. 11, a proxy calculation system according to thefourth embodiment comprises the requesting apparatus 1′ and thecalculating apparatus 2′ and calculates a bi-homomorphism θ(g, h) usingthe result of a calculation performed by the calculating apparatus 2′ inresponse to the requesting apparatus P.

It is supposed that G, H and F denote cyclic groups, a map θ: G×H→F is abi-homomorphism, g denotes an element of the group G, h denotes anelement of the group H, K_(G) denotes the order of the group G, K_(H)denotes the order of the group H, μ_(g) denotes the generator of thegroup G, μ_(h) denotes the generator of the group H, ν=θ(μ_(g), μ_(h)),k denotes a security parameter that is an integer equal to or greaterthan 1, and K=2^(k).

The “bi-homomorphism” means a map that is homomorphic to each of twoinputs. In this example, the map θ(g, h) is homomorphic to the element gof the group G and to the element h of the group H.

There is a communication channel established between the requestingapparatus 1′ and the calculating apparatus 2′, and the requestingapparatus 1′ and the calculating apparatus 2′ can bidirectionallycommunicate with each other. The communication channel does not have tobe concealed, and a third party can intercept the information passingthrough the communication channel.

The requesting apparatus 1′ transmits information scrambled with arandom number to the untrusted and/or reliable calculating apparatus 2′,and the calculating apparatus 2′ performs a calculation using thescrambled information according to a certain algorithm and transmits thecalculation result back to the requesting apparatus V. The requestingapparatus 1′ finally calculates θ(g, h) by repeating informationtransmission to and reception from the calculating apparatus 2′.

The requesting apparatus 1′ first calculate information (σ, ν′) that isequivalent to θ(g, μ₄) through a process from Step S11′ to Step S125′(see FIG. 15), and then calculates θ(g, μ) through a process from StepS21′ to Step S225′ using the information (σ, ν′) that is equivalent toθ(g, μ_(h)).

As illustrated in FIGS. 12 and 13, the requesting apparatus 1′ comprisesa first random number generating part 11′, a second random numbergenerating part 12′, a first input information calculating part 13′, asecond input information calculating part 14′, a first list informationcalculating part 15′, a first list storage part 16′, a receiving part17′, a transmitting part 18′, a fourth random number generating part21′, a fifth random number generating part 22′, a third inputinformation calculating part 23′, a fourth input information calculatingpart 24′, a second list information calculating part 25′, a second liststorage part 26′, a third random number generating part 27′, a firstdetermining part 28′, a sixth random number generating part 31′, aseventh random number generating part 32′, a fifth input informationcalculating part 33′, a sixth input information calculating part 34′, athird list information calculating part 35′, a third list storage part36′, a ninth random number generating part 41′, a tenth random numbergenerating part 42′, a seventh input information calculating part 43′,an eighth input information calculating part 44′, a fourth listinformation calculating part 45′, a fourth list calculating part 46′, aneighth random number generating part 47′ and a second determining part48′, for example.

As illustrated in FIG. 14, the calculating apparatus 2′ comprises areceiving part 51′, a transmitting part 52′, a first output informationcalculating part 53′, a second output information calculating part 54′,a third output information calculating part 55′ and a fourth outputinformation calculating part 56′, for example.

<Step S11′ (FIG. 15)>

The first random number generating part 11′ generates a uniform randomnumber r₁ that is equal to or greater than 0 and smaller than K_(G)(Step S11′). The generated random number r₁ is transmitted to the firstinput information calculating part 13′ and the first list informationcalculating part 15′.

<Step S12′>

The second random number generating part 12′ generates a uniform randomnumber r₂ that is equal to or greater than 0 and smaller than K_(H)(Step S12′). The generated random number r₂ is transmitted to the secondinput information calculating part 14′, the first list informationcalculating part 15′ and the first list storage part 16′.

<Step S13′>

The first input information calculating part 13′ calculates first inputinformation g₁=μ_(g) ^(r1)g (Step S13′). The calculated information g₁is transmitted to the transmitting part 18′.

The superscript “r1” of μ_(g) means r₁. In this way, in thisapplication, in an expression α^(βγ) where a denotes a first character,β denotes a second character and γ denotes a numeral, βγ means β_(γ),that is, γ is a subscript of β.

To calculate g₁=μ_(g) ^(r1)g means to calculate the value of g₁ definedby the formula μ_(g) ^(r1)g. Any calculation process can be used as faras the value of the formula μ_(g) ^(r1)g can be finally calculated. Thesame holds true for calculation of any other formulas found in thisapplication.

<Step S14′>

The second input information calculating part 14′ calculates secondinput information h₁=μ_(h) ^(r2) (Step S14′). The calculated informationh₁ is transmitted to the transmitting part 18′.

<Step S15′>

The transmitting part 18′ transmits the first input information g₁ andthe second input information h₁ to the calculating apparatus 2′ (StepS15′).

<Step S16′>

The receiving part 51′(FIG. 14) of the calculating apparatus 2′ receivesthe first input information g₁ and the second input information h₁ (StepS16′).

<Step S17′>

The first output information calculating part 53′ performs a calculationusing the first input information g₁ and the second input information h₁and designates the calculation result as first output information z₁(Step S17′). The first output information z₁ is transmitted to thetransmitting part 52′.

The first output information calculating part 53′ is capable ofcalculating θ(g₁, h₁). The result of the calculation performed by thefirst output information calculating part 53′ may be or may not be θ(g₁,h₁).

In this application, the expression “be capable of calculating” meansthat a calculation is possible with a non-negligible probability. Theexpression “non-negligible probability” means a probability equal to orhigher than 1/f(k), where f(k) denotes a polynomial that is amonotonically increasing function of a security parameter k in a broadsense.

<Step S18′>

The transmitting part 52′ transmits the first output information z₁ tothe requesting apparatus 1′ (Step S18′).

<Step S19′>

The receiving part 17′ (FIG. 12) of the requesting apparatus 1′ receivesthe first output information z₁ (Step S19′). The received first outputinformation z₁ is transmitted to the first list information calculatingpart 15′. In this example, it is supposed that the first outputinformation z₁ is an element of the group F.

<Step S110′>

The first list information calculating part 15′ calculates z₁ν^(−r1r2)using the random numbers r₁ and r₂ and the first output information z₁(Step S110′). The calculated z₁ν^(−r1r2) is transmitted to the firstlist storage part 16′.

<Step S111′>

An information set (r₂, z₁ν^(−r1r2)) composed of the random number r₂and the calculated z₁ν^(−r1r2) is added to a list L₁. In this example,the first list storage part 16′ stores the information set (r₂,z₁ν^(−r1r2)) (Step S111′).

<Step S112′>

The third random number generating part 27′ generates a uniform randomnumber d₁ that is equal to or greater than 0 and smaller than K (StepS112′). The generated random number d₁ is transmitted to the third inputinformation calculating part 23′ and the second list storage part 26′.

<Step S113′>

The fourth random number generating part 21′ generates a uniform randomnumber r₄ that is equal to or greater than 0 and smaller than K_(G)(Step S113′). The generated random number r₄ is transmitted to the thirdinput information calculating part 23′ and the second list informationcalculating part 25′.

<Step S114′>

The fifth random number generating part 22′ generates a uniform randomnumber r₅ that is equal to or greater than 0 and smaller than K_(H)(Step S114′). The generated random number r₅ is transmitted to thefourth input information calculating part 24′, the second listinformation calculating part 25′ and the second list storage part 26′.

<Step S115′>

The third input information calculating part 23′ calculates third inputinformation g₂=μ_(g) ^(r4)g^(d1) (Step S115′). The calculated thirdinput information g₂ is transmitted to the transmitting part 18′.

<Step S116′>

The fourth input information calculating part 24′ calculates fourthinput information h₂=μ_(h) ^(r5) (Step S116′). The calculated fourthinput information h₂ is transmitted to the transmitting part 18′.

<Step S117′>

The transmitting part 18′ transmits the third input information g₂ andthe fourth input information h₂ to the calculating apparatus 2′ (StepS117′).

<Step S118′>

The receiving part 51′ (FIG. 14) of the calculating apparatus 2′receives the third input information g₂ and the fourth input informationh₂ (Step S118′).

<Step S119′>

The second output information calculating part 54′ performs acalculation using the third input information g₂ and the fourth inputinformation h₂ and designates the calculation result as second outputinformation z₂ (Step S119′). The second output information z₂ istransmitted to the transmitting part 52′.

The second output information calculating part 54′ is capable ofcalculating θ(g₂, h₂). The result of the calculation performed by thesecond output information calculating part 54′ may be or may not beθ(g2, h₂).

<Step S120′>

The transmitting part 52′ transmits the second output information z₂ tothe requesting apparatus 1′ (Step S120′).

<Step S121′>

The receiving part 17′ (FIG. 12) of the requesting apparatus 1′ receivesthe second output information z₂ (Step S121′). The received secondoutput information z₂ is transmitted to the second list informationcalculating part 25′. In this example, it is supposed that the secondoutput information z₂ is an element of the group F.

<Step S122′>

The second list information calculating part 25′ calculates z₂ν^(−r4r5)using the random numbers r₄ and r₅ and the second output information z₂(Step S122′). The calculated z₂ν^(−r4r5) is transmitted to the secondlist storage part 26′.

<Step S123′>

An information set (d₁, r₅, z₂ν^(−r4r5)) composed of the random numbersd₁ and r₅ and the calculated z₂ν^(−r4r5) is added to a list L₂. In thisexample, the second list storage part 26′ stores the information set(d₁, r₅, z₂ν^(−r4r5)) (Step S123′).

<Step S124′>

Provided the first element and the second element of the information setread from the first list storage part 16′ are denoted by s₁ and w₁,respectively, and the first element, the second element and the thirdelement of the information set read from the second list storage part26′ are denoted by t₂, s₂ and w₂, respectively, the first determiningpart 28′ determines whether or not these information sets satisfy arelation (w₁)̂(t₂s₂s₁ ⁻¹)=w₂ (Step S124′).

When the first list storage part 16′ and the second list storage part26′ store a plurality of information sets, the first determining part28′ makes the determination of whether the relation described above issatisfied or not for every pair of the information set (r₂, z₁ν^(−r1r2))stored in the first list storage part 16′ and the information set (d₁,r₅, z₂ν^(−r4r5)) stored in the second list storage part 26′. Of course,the determination processing can be omitted for an information pair forwhich the determination of whether the relation described above issatisfied or not has already been made.

<Step S125′>

If the relation described above is satisfied, the first determining part28′ substitutes s₁ for σ and w₁ for ν′ (Step S125′). Note thatν′^(1/σ)=w₁ ^(1/σ)=θ(g, μ_(h)). A reason why the relation ν′^(1/σ)=θ(g,μ_(h)) holds will be described later.

If the relation described above is not satisfied, the process returns toStep S11′.

<Step S21′ (FIG. 16)>

The sixth random number generating part 31′ generates a uniform randomnumber r₆ that is equal to or greater than 0 and smaller than K_(G)(Step S21′). The generated random number r₆ is transmitted to the fifthinput information calculating part 33′, the third list informationcalculating part 35′ and the third list storage part 36′.

<Step S22′>

The seventh random number generating part 32′ generates a uniform randomnumber r₇ that is equal to or greater than 0 and smaller than K_(H)(Step S22′). The generated random number r₇ is transmitted to the sixthinput information calculating part 34′ and the third list informationcalculating part 35′.

<Step S23′>

The fifth input information calculating part 33′ calculates fifth inputinformation g₃=μ_(g) ^(r6) (Step S23′). The calculated information g₃ istransmitted to the transmitting part 18′.

<Step S24′>

The sixth input information calculating part 34′ calculates sixth inputinformation h₃=μ_(h) ^(r7σ)h (Step S24′). The calculated information h₃is transmitted to the transmitting part 18′.

<Step S25′>

The transmitting part 18′ transmits the fifth input information g₃ andthe sixth input information h₃ to the calculating apparatus 2′ (StepS25′).

<Step S26′>

The receiving part 51′ (FIG. 14) of the calculating apparatus 2′receives the fifth input information g₃ and the sixth input informationh₃ (Step S26′).

<Step S27′>

The third output information calculating part 55′ performs a calculationusing the fifth input information g₃ and the sixth input information h₃and designates the calculation result as third output information z₃(Step S27′). The third output information z₃ is transmitted to thetransmitting part 52′.

The third output information calculating part 55′ is capable ofcalculating θ(g₃, h₃). The result of the calculation performed by thethird output information calculating part 55′ may be or may not be θ(g₃,h₃).

<Step S28′>

The transmitting part 52′ transmits the third output information z₃ tothe requesting apparatus 1′ (Step S28′).

<Step S29′>

The receiving part 17′ (FIG. 13) of the requesting apparatus 1′ receivesthe third output information z₃ (Step S29′). The received third outputinformation z₃ is transmitted to the third list information calculatingpart 35′. In this example, it is supposed that the third outputinformation z₃ is an element of the group F.

<Step S210′>

The third list information calculating part 35′ calculates z₃ν′^(−r6r7)using the random numbers r₆ and r₇ and the third output information z₃(Step S210′). The calculated z₃ν′^(−r6r7) is transmitted to the thirdlist storage part 36′.

<Step S211′>

An information set (r₆, z₃ν′^(−r6r7)) composed of the random number r₆and the calculated z₃ν′^(−r6r7) is added to a list L₃. In this example,the third list storage part 36′ stores the information set (r₆,z₃ν′^(−r6r7)) (Step S211′).

<Step S212′>

The eighth random number generating part 47′ generates a uniform randomnumber d₂ that is equal to or greater than 0 and smaller than K (StepS212′). The generated random number d₂ is transmitted to the eighthinput information calculating part 44′ and the fourth list storage part46′.

<Step S213′>

The ninth random number generating part 41′ generates a uniform randomnumber r₉ that is equal to or greater than 0 and smaller than K_(G)(Step S213′). The generated random number r₉ is transmitted to theseventh input information calculating part 43′, the fourth listinformation calculating part 45′ and the fourth list storage part 46′.

<Step S214′>

The tenth random number generating part 42′ generates a uniform randomnumber r₁₀ that is equal to or greater than 0 and smaller than K_(H)(Step S214′). The generated random number r₁₀ is transmitted to theeighth input information calculating part 44′, the fourth listinformation calculating part 45′ and the fourth list storage part 46′.

<Step S215′>

The seventh input information calculating part 43′ calculates seventhinput information g₄=g^(r9) (Step S215′). The calculated seventh inputinformation g₄ is transmitted to the transmitting part 18′.

<Step S216′>

The eighth input information calculating part 44′ calculates eighthinput information h₄=μ_(h) ^(r10σ)h^(d2) (Step S216′). The calculatedeighth input information h₄ is transmitted to the transmitting part 18′.

<Step S217′>

The transmitting part 18′ transmits the seventh input information g₄ andthe eighth input information h₄ to the calculating apparatus 2′ (StepS217′).

<Step S218′>

The receiving part 51′ (FIG. 14) of the calculating apparatus 2′receives the seventh input information g₄ and the eighth inputinformation h₄ (Step S218′).

<Step S219′>

The fourth output information calculating part 56′ performs acalculation using the seventh input information g₄ and the eighth inputinformation h₄ and designates the calculation result as fourth outputinformation z₄ (Step S219′). The fourth output information z₄ istransmitted to the transmitting part 52′.

The fourth output information calculating part 56′ is capable ofcalculating θ(g₄, h₄). The result of the calculation performed by thefourth output information calculating part 56′ may be or may not beθ(g₄, h₄).

<Step S220′>

The transmitting part 52′ transmits the fourth output information z₄ tothe requesting apparatus 1′ (Step S220′).

<Step S221′>

The receiving part 17′ (FIG. 12) of the requesting apparatus 1′ receivesthe fourth output information z₄ (Step S221). The received fourth outputinformation z₄ is transmitted to the fourth list information calculatingpart 45′. In this example, it is supposed that the fourth outputinformation z₄ is an element of the group F.

<Step S222′>

The fourth list information calculating part 45′ calculatesz₄ν′^(−r9r10) using the random numbers r₉ and r₁₀ and the fourth outputinformation z₄ (Step S222′). The calculated z₄ν′^(−r9r10) is transmittedto the fourth list storage part 46′.

<Step S223′>

An information set (d₂, r₉, z₄ν′^(−r9r10)) composed of the randomnumbers d₂ and r₉ and the calculated z₄ν′^(−r9r10) is added to a listL₄. In this example, the fourth list storage part 46′ stores theinformation set (d₂, r₉, z₄ν′^(−r9r10)) (Step S223′).

<Step S224′>

Provided the first element and the second element of the information setread from the third list storage part 36′ are denoted by s₃ and w₃,respectively, and the first element, the second element and the thirdelement of the information set read from the fourth list storage part46′ are denoted by t₄, s₄ and w₄, respectively, the second determiningpart 48′ determines whether or not these information sets satisfy arelation (w₃)̂(t₄s₄s₃ ⁻¹)=w₄ (Step S224′).

When the third list storage part 36′ and the fourth list storage part46′ store a plurality of information sets, the second determining part48′ makes the determination of whether the relation described above issatisfied or not for every pair of the information set (r₆,z₃ν′^(−r6r7)) stored in the third list storage part 36′ and theinformation set (d₂, r₉, z₄ν^(−r9r10) stored in the fourth list storagepart 46′. Of course, the determination processing can be omitted for aninformation pair for which the determination of whether the relationdescribed above is satisfied or not has already been made.

<Step S225′>

If the relation described above is satisfied, the second determiningpart 48′ outputs (w₃)̂(s₃ ⁻¹) (Step S225′). Note that (w₃)̂(s₃ ⁻¹)=θ(g,h). A reason why the relation (w₃)̂(s₃ ⁻¹)=θ(g, h) holds will bedescribed later.

If the relation described above is not satisfied, the process returns toStep S21′.

When it is difficult to calculate (w₃)̂(s₃ ⁻¹), that is, a root of w₃,θ(g, h) can be easily calculated in the following manner. The seconddetermining part 48′ stores in a storage part 410′ sets (w₃, s₃) of thevalues w₃ and s₃ that satisfy the relation (w₃)̂(t₄s₄s₃ ⁻¹) as a sequenceof sets (α₁, S₁), (α₂, S₂), . . . , (α_(m), S_(m)) by repeating theprocess from Step S21′ to Step S224′. Note that m denotes a naturalnumber. If S_(m) that is relatively prime to S₁ is found, the seconddetermining part 48′ calculates integers L₁ and L₂ that satisfy arelation L₁S₁+L₂S_(m)=1, and calculates α₁ ^(L1)α_(m) ^(L2) using theintegers L₁ and L₂. α₁ ^(L1)α_(m) ^(L2)=θ(g, h)^((L1S1+L2S2))=θ(g, h).When the least common multiple of S₁, S₂, . . . and S_(m) is 1, thesecond determining part 48′ can calculate integers L₁, L₂, . . . andL_(m), that satisfy a relation L₁S₁+L₂S₂+ . . . +L_(m)S_(m)=1, andcalculate α₁ ^(L1)α₂ ^(L2) . . . α_(m) ^(Lm) using the integers L₁, L₂,. . . , L_(m). α₁ ^(L1)α₂ ^(L2) . . . α_(m) ^(Lm)=θ(g,h)^((L1S1+L2S2+ . . . +LmSm))=θ(g, h).

Even if there is an attacker M who can intercept the communicationbetween the requesting apparatus 1′ and the calculating apparatus 2′,the information exchanged between the requesting apparatus 1′ and thecalculating apparatus 2′ can be concealed from the attacker M byscrambling the information with random numbers (r₁, r₂, for example)that are known only to the requesting apparatus F.

Since the information exchanged between the requesting apparatus 1′ andthe calculating apparatus 2′ is scrambled with random numbers, such asr₁ and r₂, that are known only to the requesting apparatus 1′, thecalculating apparatus 2′ cannot even know the inputs g and h of θ(g, h),to say nothing of θ(g, h) to be finally calculated by the requestingapparatus 1′.

Therefore, the calculating apparatus 2′ does not have to be a trustedcalculator, so that the requirements on the configuration of the systemfor calculating a bi-homomorphism can be reduced. Since the calculatingapparatus 2′ does not have to be a trusted calculator, which isgenerally expensive and requires high operational cost, the cost ofconstruction and operation of the system for calculating abi-homomorphism can be reduced.

<<Reason why ν′^(1/σ)=θ(g, μ_(h))>>

A random variable S_(X)(d), which is referred to as a randomizablesampler, will be first described. The random variable S_(X)(d) that is arandomizable sampler with an error X for wεF is expressed asS_(X)(d)=w^(d)X, where d denotes a natural number.

Provided that R₁, R₂, R₁′ and R₂′ denote random numbers, the result ofthe calculation performed by the calculating apparatus using g^(d)μ_(g)^(R1) and μ_(h) ^(R2) is expressed as B(g^(d)μ_(g) ^(R1), μ_(h) ^(R2))((z=B(g_(d)μ_(g) ^(R1), μ_(h) ^(R2)) where z denotes the calculationresult returned to the requesting apparatus from the calculatingapparatus), and a random variable X whose value is an element of thegroup F is defined as X=B(μ_(g) ^(R′1), μ_(h) ^(R′2))^(1/R′2)θ(μ_(g)^(R′1), μ_(h))⁻¹, S_(X)(d)=z^((1/R2))ν^(−R1) is a randomizable samplerwith an error X for θ(g, μ_(h)).

This is because S_(X)(d)=z^((1/R2))ν^(−R1)=B(g_(d)μ_(g) ^(R1), μ_(h)^(R2))^(1/R2)θ(μ_(g), μ_(h))^(−R1)=Xθ(g_(d)μ_(g) ^(R1), μ_(h))θ(μ_(g)^(R1), μ_(h))⁻¹=Xθ(g_(d), μ_(h))θ(μ_(g) ^(R1), μ_(h))⁻¹=θ(g,μ_(h))^(d)X.

In development of the formula described above, properties are used thatX=B(μ_(g) ^(R′1), μ_(h) ^(R′2))^(1/R′2)=θ(μ_(g) ^(R′1),μ_(h))⁻¹=B(g_(d)μ_(g) ^(R1), μ_(h) ^(R2))^(1/R2)θ(g^(d)μ_(g) ^(R1),μ_(h))⁻¹ and B(g^(d)μ_(g) ^(R1), μ_(h) ^(R2))^(1/R2)=Xθ(g^(d)μ_(g)^(R1), μ_(h)). These properties are based on the fact that R₁, R₂, R₁′and R₂′ are random numbers.

Provided that a realized value of S_(X)(1) is expressed as θ(g,μ_(h))¹x₁, and a realized value of S_(X)(d) is expressed as θ(g,μ_(h))^(d)x₂, the inventor has found that the realized value of S_(X)(1)raised to the d-th power is highly likely to be equal to the realizedvalue of S_(X)(d), that is, the relation (θ(g, μ_(h))¹x₁)^(d)=θ(g,μ_(h))^(d)x₂ is highly likely to hold when x₁ and x₂ are a unit elemente_(f) of the group F. The proof is omitted herein. When x₁ is the unitelement e_(f) of the group F, the realized value of S_(X)(1)=θ(g,μ_(h))¹x₁=θ(g, μ_(h)).

The proxy calculation system according to the embodiments describedabove uses these properties of the randomizable sampler.

The process from Step S11′ to Step S111′ corresponds to calculation ofthe realized value θ(g, μ_(h))¹x₁ of S_(X)(1). The realized value ofS_(X)(1) itself is not actually calculated. However, using (r₂,z₁ν^(−r1r2)) resulting from the process, z₁ν^(−r1r2) is raised to the1/r₂-th power. The resulting (z₁ν^(−r1r2))^(1/r2) is equal to z₁^(1/r2)ν^(−r1), which is equal to the realized value θ(g, μ_(h))¹x₁ ofS_(X)(1). Similarly, the process from Step S112′ to Step S123′corresponds to calculation of the realized value θ(g, μ_(h))^(d1)x₂ ofS_(X)(d₁).

The processing of Step S124′ corresponds to determination of whether ornot the realized value of S_(X)(1) raised to the d₁th power is equal toS_(X)(d₁), that is, (θ(g, μ_(h))x₁)^(d1)=θ(g, μ_(h))^(d1)x₂. This isbecause the determination criterion (w₁)̂(t₂s₂s₁ ⁻¹) used in Step S124′is based on the fact that (w₁)̂(t₂s₂s₁ ⁻¹)=w₂

(w₁ ^(2/s1))^(t2)=w₂ ^(1/s2)

(z₁ ^(1/r2)ν^(−r1))^(d1)=z₂ ^(1/r5)ν^(−r4)

(θ(g, μ_(h))¹x₁)^(d1)=θ(g, μ_(h))^(d1)x₂

the realized value of S_(X)(1) raised to the d₁-th power=the realizedvalue of S_(X)(1). Note that, according to the definition, s₁=r₂,w₁=z₁ν^(−r1r2), t₂=d₁, S₂=r₅, and w₂=z₂ν^(−r4r5).

Furthermore, σ and ν′ in Step S125′ correspond to θ(g, μ_(h)). This isbecause ν′^(1/σ)=w₁ ^(1/s1)=z₁ ^(1/r2)ν^(−r1)=θ(g, μ_(h))¹x₁=θ(g, μ_(h))when the realized value of S_(X)(1) raised to the d₁-th power=therealized value of S_(X)(d₁) as described above.

<<Reason why (w₃)̂(s₃ ⁻¹)=θ(g, h)>>

Provided that R₁, R₂, R₁′ and R₂′ denote random numbers, the result ofthe calculation performed by the calculating apparatus using g^(R1) andh^(d)μ_(h) ^(R2) is expressed as B(g^(R1), h^(d)μ_(h) ^(R2))(z=B(g^(R1), h^(d)μ_(h) ^(R2)) where z denotes the calculation resultreturned to the requesting apparatus from the calculating apparatus),and a random variable X whose value is an element of the group F isdefined as X=B(g^(R′1), μ_(h) ^(R2))^(1/R′1)θ(g, μ_(h) ^(R2))⁻¹,S_(X)(d)=z^((1/R1))ν′^(−R2) is a randomizable sampler with an error Xfor θ(g, h).

This is because S_(X)(d)=z^((1/R1))ν′^(−R2)=B(g^(R1), h^(d)μ_(h)^(R2))^(1/R1)θ(g, μ_(g))^(−R2)=Xθ(g, h^(d)μ_(h) ^(R2))θ(g, μ_(h)^(R2))⁻¹=Xθ(g, h^(d))θ(g, μ_(h) ^(R2))θ(g, μ_(h) ^(R2))⁻¹=θ(g, h)^(d)X.

In development of the formula described above, properties are used thatX=B(g^(R′1), μ_(h) ^(R′2))^(1/R′1)θ(g, μ_(h) ^(R′2))⁻¹=B(g^(R1), μ_(h)^(R2))^(1/R1)θ(g, h^(d)μ_(h) ^(R2))⁻¹ and B(g^(R1), h^(d)μ_(h)^(R2))^(1/R1)=Xθ(g, h^(d)μ_(h) ^(R1)). These properties are based on thefact that R₁, R₂, R₁′ and R₂′ are random numbers.

Provided that a realized value of S_(X)(1) is expressed as θ(g, h)¹x₁,and a realized value of S_(X)(d) is expressed as θ(g, h)^(d)x₂, theinventor has found that the realized value of S_(X)(1) raised to thed-th power is highly likely to be equal to S_(X)(d), that is, therelation (θ(g, h)¹x₁)^(d)=θ(g, h)^(d)x₂ is highly likely to hold when x₁and x₂ are a unit element e_(f) of the group F. The proof is omittedherein. When x₁ is the unit element e_(f) of the group F, the realizedvalue of S_(X)(1)=θ(g, h)¹x₁=θ(g, h).

The proxy calculation system according to the embodiments describedabove uses these properties of the randomizable sampler.

The process from Step S21′ to Step S211′ corresponds to calculation ofthe realized value θ(g, h)¹x₁ of S_(X)(1). The realized value ofS_(X)(1) itself is not actually calculated. However, using (r₆,z₃ν′^(−r6r7)) resulting from the process, z₃ν′^(−r6r7) is raised to the1/r₆-th power. The resulting (z₃ν′^(−r6r7))^(1/r6) is equal toz₃ν′^(−r7), which is equal to the realized value θ(g, h)¹x₁ of S_(X)(1).Similarly, the process from Step S212′ to Step S223′ corresponds tocalculation of the realized value θ(g, h)^(d2)x2 of S_(X)(d₂).

The processing of Step S224′ corresponds to determination of whether ornot the realized value of S_(X)(1) raised to the d₂-th power is equal tothe realized value of S_(X)(d₂), that is, (θ(g, h)¹x₁)^(d2)=θ(g,h)^(d2)x₂. This is because the determination criterion (w₃)̂(t₄s₄s₃⁻¹)=w₄ used in Step S224′ is based on the fact that (w₃)̂(t₄s₄s₃ ⁻¹)=w₄

(w₃ ^(1/s3))^(t4)=w₄ ^(1/s4)

(z3^(1/r6)ν′^(−r7))^(d2)=z₄ ^(1/r9)ν′^(−r10)

(θ(g, h)¹x₁)^(d2)=θ(g, h)^(d2)x₂

the realized value of S_(X)(1) raised to the d₂-th power=the realizedvalue of S_(X)(d₂). Note that, according to the definition, s₃=_(r6),w₃=z₃ν′^(−r6r7), t₄=d₂, s₄=r₉, and w₄=z₄ν′^(−r9r10).

Furthermore, (w₃)̂(s₃ ⁻¹) in Step S225′ corresponds to θ(g, h). This isbecause (w₃)^(̂(s) ₃ ⁻¹) (z₃ν′^(−r6r7))̂(r₆ ⁻¹)=z₃ ^(1/r6)ν′^(r7)=θ(g,h)¹x₁=θ(g, h) when the realized value of S_(X)(1) raised to the d₂-thpower=the realized value of S_(X)(d₂) as described above.

Fifth Embodiment

A proxy calculation system according to a fifth embodiment differs fromthe proxy calculation system according to the fourth embodiment in StepsS13′, S110′ and S111′ and is the same as the proxy calculation systemaccording to the fourth embodiment in the other respects. The followingdescription will be mainly focused on the differences from the fourthembodiment.

The first input information calculating part 13′ does not calculate thefirst input information defined as g₁=μ_(g) ^(r1)g but calculates firstinput information defined as g₁=g^(r1) (Step S13′).

The first list information calculating part 15′ does not use z₁ν^(−r1r2)but uses the random numbers r₁ and r₂ to calculate r₁r₂, and transmitsthe calculation result to the first list storage part 16′ (Step S110′).

The first list storage part 16′ does not store the information set (r₂,z₂ν^(−r1r2)) but stores information set (r₁r₂, z₁) composed of thecalculated r₁r₂ and z₁εF received from the calculating apparatus 2′(Step S111′).

While Step S110′ in the fourth embodiment is to perform exponentiationof z₁ν^(−r1r2) for the group F, Step S110′ in the fifth embodiment is tocalculate r₁r₂, so that the number of calculations is reduced by one.Since the number of exponentiations is reduced in this way, thecalculation efficiency can be improved. If it is difficult to calculatea nontrivial root for the groups G and H, the security does notdeteriorate compared with the fourth embodiment.

Sixth Embodiment

A proxy calculation system according to a sixth embodiment differs fromthe proxy calculation system according to the fourth embodiment in StepsS24′, S210′ and S211′ and is the same as the proxy calculation systemaccording to the fourth embodiment in the other respects. The followingdescription will be mainly focused on the differences from the fourthembodiment.

The sixth input information calculating part 34′ does not calculate thesixth input information defined as h₃=μ_(h) ^(r7σ) but calculates sixthinput information defined as h₃=h^(r7) (Step S24′).

The third list information calculating part 35′ does not usez₃ν′^(−r6r7) but uses the random numbers r₆ and r₇ to calculate r₆r₇(Step S210′).

The third list storage part 36′ does not store the information set (r₆,z₃ν′^(−r6r7)) but stores information set (r₆r₇, z₃) composed of thecalculated r₆r₇ and z₃εF received from the calculating apparatus 2′(Step S211′).

While Step S210′ in the fourth embodiment is to perform exponentiationof z₃ν′^(−r6r7) for the group F, Step S210′ in the sixth embodiment isto calculate r₆r₇, so that the number of calculations is reduced by one.Since the number of exponentiations is reduced in this way, thecalculation efficiency can be improved.

If it is difficult to calculate a nontrivial root for the groups G andH, the security does not deteriorate compared with the fourthembodiment.

Seventh Embodiment

A proxy calculation system according to a seventh embodiment differsfrom the proxy calculation system according to the fourth embodiment inSteps S125′ and S214′ and is the same as the proxy calculation systemaccording to the fourth embodiment in the other respects. The followingdescription will be mainly focused on the differences from the fourthembodiment.

If the relation described above is satisfied, the first determining part28′ substitutes t₁s₂ for σ and w₂ for ν′ (Step S125′).

The tenth random number generating part 42′ calculate −r₉ ⁻¹ using therandom number r₉ and designates the calculation result as r₁₀ (StepS214′).

Since the definition of ν′ is modified to make σ a random number that isdifficult to guess in this way, the security is improved. In addition,since the random number r₉ is used to calculate the random number r₁₀,the number of generations of random numbers can be reduced. It may seemthat the randomness of the eighth input information h₄=μ^(r10σ)h^(d2)decreases and the security deteriorates because the random number r₁₀ isdetermined by the random number r₉, but the security does not actuallydeteriorate because the eighth input information h₄=μ_(h) ^(r10σ)h^(d2)is scrambled not only with the random number r₁₀ but also σ.

According to the seventh embodiment, Steps S22′ and S211′ may also bemodified as described below.

The seventh random number generating part 32′ calculates −r₆ ⁻¹ usingthe random number r₆ and designates the calculation result as r₇ (StepS22′).

The third list storage part 36′ stores information set (1, z₃ν′^(−r6r7))composed of 1 and the calculated z₃ν′^(−r6r7) (Step S211′).

Since the random number r₇ is calculated using the random number r₆ inthis way, the number of generations of random numbers can be reduced.

If it is difficult to calculate a nontrivial root for the groups G andH, the security does not deteriorate compared with the fourthembodiment.

Eighth Embodiment

A proxy calculation system according to an eighth embodiment differsfrom the proxy calculation system according to the fourth embodiment inStep S113′ and is the same as the proxy calculation system according tothe fourth embodiment in the other respects. The following descriptionwill be mainly focused on the differences from the fourth embodiment.

Before Step S113′, the fifth random number generating part 22′ generatesthe random number r₅ (Step S114′).

The fourth random number generating part 21′ calculates −r₅ ⁻¹ using therandom number r₅ and designates the calculation result as r₄ (StepS113′).

Since the random number r₄ is calculated using the random number r₅ inthis way, the number of generations of random numbers can be reduced.

If it is difficult to calculate an arbitrary element h of the group Hthat satisfies a relation θ(g, h)=ν where gεG, the security does notdeteriorate compared with the fourth embodiment.

Ninth Embodiment

A proxy calculation system according to a ninth embodiment differs fromthe proxy calculation system according to the fourth embodiment in StepS115′ and in that the requesting apparatus 1′ further comprises apre-calculation part 29′ shown by a dashed line in FIG. 12 and is thesame as the proxy calculation system according to the fourth embodimentin the other respects. The following description will be mainly focusedon the differences from the fourth embodiment.

The pre-calculation part 29′ calculates g^(d1) using d₁ generated by thethird random number generating part 27′. This processing is performedafter Step S112′ and before Step S115′.

The third input information calculating part 23′ calculates g₂=μ_(g)^(r4)g^(d1) using the previously calculated g^(d1) (Step S115′).

If the determination criterion is not satisfied in Step S114′, theprocess from Step S11′ to Step S123′ is repeated, and when the processis repeated, the previously calculated g^(d1) is reused. That is, thethird random number generating part 27′ does not generate the randomnumber d₁, and the third input information calculating part 23′calculates g₂=μ_(g) ^(r4)g^(d1) using the previously calculated g^(d1).As a result, the number of generations of the random number d₁ can bereduced, and g₂=μ_(g) ^(r4)g^(d1) can be calculated in a shorter time.

Tenth Embodiment

A proxy calculation system according to a tenth embodiment differs fromthe proxy calculation system according to the fourth embodiment in StepS216′ and in that the requesting apparatus 1′ further comprises apre-calculation part 49′ shown by a dashed line in FIG. 13 and is thesame as the proxy calculation system according to the fourth embodimentin the other respects. The following description will be mainly focusedon the differences from the fourth embodiment.

The pre-calculation part 49′ calculates h^(d2) using d₂ generated by theeighth random number generating part 47′. This processing is performedafter Step S212′ and before Step S216′.

The eighth input information calculating part 44′ calculates h₄=μ_(h)^(r10σ)h^(d2) using the previously calculated h^(d2) (Step S216′).

If the determination criterion is not satisfied in Step S214′, theprocess from Step S21′ to Step S223′ is repeated, and when the processis repeated, the previously calculated h^(d2) is reused. That is, theeighth random number generating part 47′ does not generate the randomnumber d₂, and the eighth input information calculating part 44′calculates h₄=μ_(h) ^(r10σ)h^(d2) using the previously calculatedh^(d2). As a result, the number of generations of the random number d₂can be reduced, and h₄=μ_(h) ^(r10σ)h^(d2) can be calculated in ashorter time.

Modifications of Fourth to Tenth Embodiment

When each of the first random number generating part 11′, the secondrandom number generating part 12′, the third random number generatingpart 27′, the fourth random number generating part 21′, the fifth randomnumber generating part 22′, the sixth random number generating part 31′,the seventh random number generating part 32′, the eighth random numbergenerating part 47′, the ninth random number generating part 41′ and thetenth random number generating part 42′ generates a uniform randomnumber, the security of the proxy calculation system is at the highestlevel. However, when such a high security level is not required, each ofthe first random number generating part 11′, the second random numbergenerating part 12′, the third random number generating part 27′, thefourth random number generating part 21′, the fifth random numbergenerating part 22′, the sixth random number generating part 31′, theseventh random number generating part 32′, the eighth random numbergenerating part 47′, the ninth random number generating part 41′ and thetenth random number generating part 42′ may generate a random numberthat is not a uniform random number.

The first determining part 28′ may perform the processing each time aninformation set is added to the lists L₁ and L₂. For example, in thecase where the second list storage part 26′ stores the information set(d₁, r₅, z₂ν^(r4r5)), the processing of Step S124′ may be performedafter Step S111′.

Similarly, the second determining part 48′ may perform the processingeach time an information set is added to the lists L₃ and L₄.

The fourth to tenth embodiments can be combined with each other.

The parts of the requesting apparatus 1′ may exchange data directly orvia a storage part (not shown). Similarly, the parts of the calculatingapparatus 2′ may exchange data directly or via a storage part (notshown).

Each of the requesting apparatus 1′ and the calculating apparatus 2′ canbe implemented by a computer. In this case, specific processings of thefunctions that the apparatus has to have are described in a program. Thecomputer executes the program, thereby implementing each processingfunction of the apparatus.

The program that describes the specific processings can be recorded in acomputer-readable recording medium. As an alternative to using acomputer that executes a predetermined program to provide theseapparatuses, at least part of these specific processings may beimplemented in a hardware form.

The first to third embodiments and the fourth to tenth embodiments maybe combined with each other. For example, as illustrated in FIG. 17, thecalculating apparatus 2 according to the first to third embodiments maycomprise the requesting apparatus 1′ according to the fourth to tenthembodiments, and the calculating apparatus 2 comprising the requestingapparatus 1′ may calculate the function f using the calculatingapparatus 2′ as described above with regard to the fourth to tenthembodiments.

More specifically, in order to calculate the function f(x) that needs tobe calculated, the calculating apparatus 2 uses the calculatingapparatus 2′ to calculate the value of the corresponding map θ(g, h).The map θ(g, h) corresponding to the function f(x) is a map θ(g, h) thatoutputs the same value as the function f(x) for a given function f and agiven value x. If there is a relation f(x)=θ(x, h) for an element hεH, amap 0 corresponding to f(x) is θ(x, h).

For example, in the Boneh/Franklin ID-based encryption described inReference 1, a decryption function for a certain ID is denoted by f. Inthis ID-based encryption, finite groups G and H of points on an ellipticcurve and pairing σ: G×H→F are used. Q denotes an element of the groupG. A secret key of a key distribution center for the ID-based encryptionis denoted by s, and a public key is denoted by P=sQ. Public parametersof the ID-based encryption are descriptions of the groups G and H, adescription of the pairing τ, and Q and P.

[Reference 1] Dan Boneh, Matt Franklin, “Identity-Based Encryption fromthe Weil Pairing”, CRYPTO 2001, LNCS 2139, pp. 213-229, 2001.

Issue of a key occurs as described below. The key distribution centercalculates P_(ID)=sQ_(ID) for an element Q_(ID) of the group H thatdepends on the ID and notifies a holder of the ID of the P_(ID)=sQ_(ID).P_(ID) is a secret key of the holder of the ID. The decryption functionf: G→F is defined as f(x)=τ(s, P_(ID)).

Generation of a cipher text and decryption of the cipher text occur asdescribed below. A plain text m is encrypted for an ID by generating arandom number r and calculating (Q^(r), m(+)H(τ(P^(r), Q_(ID)))), whichis a cipher text (C₁, C₂). The cipher text is decrypted into the plaintext by calculating C₂(+)H(f(C₁)) for the cipher text (C₁, C₂). Notethat H denotes a hash function, and (+) denotes exclusive OR.

In the Boneh/Franklin ID-based encryption, the map 0 for the functionf(x) is defined using the pairing τ, for example. Specifically,f(x)=τ(x, P_(ID)).

In the case where the calculating apparatus 2 is an IC card or acellular phone, which is not susceptible to extraction of secretinformation but has a limited computational capacity, combining multiplerequesting apparatuses and multiple calculating apparatuses in this wayis advantageous.

The present invention is not limited to the embodiments described above,and various modifications can be made as required without departing fromthe spirit of the present invention.

1. A proxy calculation system, comprising: an integer calculation partthat calculates integers a′ and b′ that satisfy a relation a′a+b′b=1using two natural numbers a and b that are relatively prime; a firstrandomizable sampler that is capable of calculating f(x)^(b)x₁ anddesignates the calculation result as u; a first exponentiation part thatcalculates u′=u^(a); a second randomizable sampler that is capable ofcalculating f(x)^(a)x₂ and designates the calculation result as v; asecond exponentiation part that calculates v′=v^(b); a determining partthat determines whether u′=v′ or not; and a final calculation part thatcalculates u^(b′)v^(a′) in a case where it is determined that u′=v′,where G and H are cyclic groups, f is a function that maps an element xof the group H into the group G, X₁ and X₂ are random variables whosevalues are elements of the group G, x₁ is a realized value of the randomvariable X₁, and x₂ is a realized value of the random variable X₂. 2.The proxy calculation system according to claim 1, further comprising: asampler that is capable of calculating f(x)x₃, where X₃ is a randomvariable whose value is an element of the group G and x₃ is a realizedvalue of the random variable X₃, performs the calculation instead ofsaid second randomizable sampler and designates the calculation resultas said v when a=1, and performs the calculation instead of said firstrandomizable sampler and designates the calculation result as said uwhen b=1.
 3. The proxy calculation system according to claim 1, whereinsaid first randomizable sampler comprises a first random numbergenerating part that generates a random number r₁ that is an integerequal to or greater than 0 and smaller than K_(H), a first inputinformation calculating part that calculates first input informationμ_(h) ^(r1)x^(b), a first output information calculating part that iscapable of calculating f(μ_(h) ^(r1)x^(b)) using said first inputinformation μ_(h) ^(r1)x^(b) and designates the calculation result asfirst output information z₁, and a first calculating part thatcalculates z₁ν^(−r1) and designates the calculation result as said u,and said second randomizable sampler comprises a second random numbergenerating part that generates a random number r₂ that is an integerequal to or greater than 0 and smaller than K_(H), a second inputinformation calculating part that calculates second input informationμ_(h) ^(r2)x^(a), a second output information calculating part that iscapable of calculating f(μ_(h) ^(r2)x^(a)) using said second inputinformation μ_(h) ^(r2)x^(a) and designates the calculation result assecond output information z₂, and a second calculating part thatcalculates z₂ν^(−r2) and designates the calculation result as said v,where said f is a homomorphism, μ_(h) is a generator of the group H,K_(H) is an order of the group H, and ν=f(μ_(h)).
 4. The proxycalculation system according to claim 3, further comprising: a samplerthat comprises a third random number generating part that generates arandom number r₃ that is an integer equal to or greater than 0 andsmaller than K_(H), a third input information calculating part thatcalculates third input information xr^(r3), a third output informationcalculating part that is capable of calculating f(x^(r3)) using saidthird input information x^(r3) and designates the calculation result asthird output information z₃, and a third calculating part thatcalculates z₃ ^(1/r3) instead of said second randomizable sampler anddesignates the calculation result as said v when a=1 and calculates z₃^(1/r3) instead of said first randomizable sampler and designates thecalculation result as said u when b=1.
 5. The proxy calculation systemaccording to claim 1, wherein said first randomizable sampler comprisesa fourth random number generating part that generates a random number r₄that is an integer equal to or greater than 0 and smaller than K_(G), afifth random number generating part that generates a random number r₅that is an integer equal to or greater than 0 and smaller than K_(G), afourth input information calculating part that calculates fourth inputinformation c₁ ^(b)V^(r4)μ_(g) ^(r5), a fifth input informationcalculating part that calculates fifth input information c₂ ^(b)W^(r4),a fourth output information calculating part that is capable ofcalculating f(c₁ ^(b)V^(r4)μ_(g) ^(r5), c₂ ^(b)W^(r4)) using said fourthinput information c₁ ^(b)V^(r4)μ_(g) ^(r5) and said fifth inputinformation c₂ ^(b)W^(r4) and designates the calculation result asfourth output information z₄, and a fourth calculating part thatcalculates z₄Y^(−r4)μ_(g) ^(−r5) and designates the calculation resultas said u, and said second randomizable sampler comprises a sixth randomnumber generating part that generates a random number r₆ that is aninteger equal to or greater than 0 and smaller than K_(G), a seventhrandom number generating part that generates a random number r₇ that isan integer equal to or greater than 0 and smaller than K_(G), a sixthinput information calculating part that calculates sixth inputinformation c₁ ^(a)V^(r6)μ_(g) ^(r7), a seventh input informationcalculating part that calculates seventh input information c₂^(a)W^(r6), a fifth output information calculating part that is capableof calculating f(c₁ ^(a)V^(r6)μ_(g) ^(r7), c₂ ^(a)W^(r6), using ing saidsixth input information c₁ ^(a)V^(r6)μ_(g) ^(r7) and said seventh inputinformation c₂ ^(a)W^(r6) and designates the calculation result as fifthoutput information z₅, and a fifth calculating part that calculatesz₅Y^(−r6)μ_(g) ^(−r7) and designates the calculation result as said v,where the group H=G×G, said f is a homomorphism, μ_(g) is a generator ofthe group G, K_(G) is an order of the group G, x=(c₁, c₂), (V, W) is anelement of the group H, and f(V, W)=Y.
 6. A proxy calculation method,comprising: an integer calculation step in which an integer calculationpart calculates integers a′ and b′ that satisfy a relation a′a+b′b=1using two natural numbers a and b that are relatively prime; a firstrandomizable sample extracting step in which a first randomizablesampler capable of calculating f(x)^(b)x₁ designates the calculationresult as u; a first exponentiation step in which a first exponentiationpart calculates u′=u^(a); a second randomizable sample extracting stepin which a second randomizable sampler capable of calculating f(x)^(a)x₂designates the calculation result as v; a second exponentiation step inwhich a second exponentiation part calculates v′=v^(b); a determinationstep in which a determining part determines whether u′=v′ or not; and afinal calculation step in which a final calculation part calculatesu^(b′)v^(a′) in a case where it is determined that u′=v′, where G and Hare cyclic groups, f is a function that maps an element x of the group Hinto the group G, X₁ and X₂ are random variables whose values areelements of the group G, x₁ is a realized value of the random variableX₁, and x₂ is a realized value of the random variable X₂.
 7. Arequesting apparatus, comprising: an integer calculation part thatcalculates integers a′ and b′ that satisfy a relation a′a+b′b=1 usingtwo natural numbers a and b that are relatively prime; a firstexponentiation part that calculates u′=u^(a) using a calculation resultu from a first randomizable sampler that is capable of calculatingf(x)^(b)x₁, a second exponentiation part that calculates v′=v^(b) usinga calculation result v from a second randomizable sampler that iscapable of calculating f(x)^(a)x₂; a determining part that determineswhether u′=v′ or not; and a final calculation part that calculatesU^(b′)v^(a′) in a case where it is determined that u′=v′, where G and Hare cyclic groups, f is a function that maps an element x of the group Hinto the group G, X₁ and X₂ are random variables whose values areelements of the group G, x₁ is a realized value of the random variableX₁, and x₂ is a realized value of the random variable X₂.
 8. A proxycalculation system that calculates θ(g, h) using a result of acalculation performed by a calculating apparatus in response to arequest from a requesting apparatus, wherein said requesting apparatuscomprises: a first random number generating part that generates a randomnumber r₁ that is an integer equal to or greater than 0 and smaller thanK_(G); a second random number generating part that generates a randomnumber r₂ that is an integer equal to or greater than 0 and smaller thanK_(H); a first input information calculating part that calculates firstinput information g₁=μ_(g) ^(r1)g; a second input informationcalculating part that calculates second input information h₁=μ_(h)^(r2); a first list information calculating part that calculatesz₁ν^(−r1r2) using z₁εF received from said calculating apparatus; a firstlist storage part that stores an information set (r₂, z₁ν^(−r1r2))composed of said random number r₂ and said calculated z₁ν^(−r1r2); athird random number generating part that generates a uniform randomnumber d₁ that is an integer equal to or greater than 0 and smaller thanK; a fourth random number generating part that generates a uniformrandom number r₄ that is an integer equal to or greater than 0 andsmaller than K_(G); a fifth random number generating part that generatesa uniform random number r₅ that is an integer equal to or greater than 0and smaller than K_(H); a third input information calculating part thatcalculates third input information g₂=μ_(g) ^(r4)g^(d1); a fourth inputinformation calculating part that calculates fourth input informationh₂=μ_(h) ^(r5); a second list information calculating part thatcalculates z₂ν^(−r4r5) using z₂εF received from said calculatingapparatus; a second list storage part that stores an information set(d₁, r₅, z₂ν^(−r4r5)) composed of said d₁, said r₅ and said calculatedz₂ν^(−r4r5); a first determining part that determines whether or not theinformation set read from said first list storage part and theinformation set read from said second list storage part satisfy arelation (w₁)̂(t₂s₂₅₁ ⁻¹)=w₂, and substitutes s₁ for σ and w₁ for ν′ in acase where the relation is satisfied, where s₁ and w₁ are a firstcomponent and a second component of the information set read from saidfirst list storage part, respectively, and t₂, s₂ and W₂ are a firstcomponent, a second component and a third component of the informationset read from said second list storage part, respectively; a sixthrandom number generating part that generates a uniform random number r₆that is an integer equal to or greater than 0 and smaller than K_(G); aseventh random number generating part that generates a uniform randomnumber r₇ that is an integer equal to or greater than 0 and smaller thanK_(H); a fifth input information calculating part that calculates fifthinput information g₃=g^(r6); a sixth input information calculating partthat calculates sixth input information h₃=μ_(h) ^(r7σ)h; a third listinformation calculating part that calculates z₃ν^(−r6r7) using z₃εFreceived from said calculating apparatus; a third list storage part thatstores an information set (r₆, z₃ν^(−r6r7)) composed of said r₆ and saidcalculated z₃ν^(−r6r7); an eighth random number generating part thatgenerates a uniform random number d₂ that is an integer equal to orgreater than 0 and smaller than K; a ninth random number generating partthat generates a uniform random number r₉ that is an integer equal to orgreater than 0 and smaller than K_(G); a tenth random number generatingpart that generates a uniform random number r₁₀ that is an integer equalto or greater than 0 and smaller than K_(H); a seventh input informationcalculating part that calculates seventh input information g₄=μ_(g)^(r9); an eighth input information calculating part that calculateseighth input information h₄=μ_(h) ^(r10σ)h^(d2); a fourth listinformation calculating part that calculates z₄ν′^(−r9r10) using z₄εFreceived from said calculating apparatus; a fourth list storage partthat stores an information set (d₂, r₉, z₄ν′^(−r9r10)) composed of saidd₂, said r₉ and said calculated z₄ν′^(−r9r10); and a second determiningpart that determines whether or not the information set read from saidthird list storage part and the information set read from said fourthlist storage part satisfy a relation (w₃)̂(t₄s₄s₃ ⁻¹)=w₄, and outputs(w₃)̂(s₃ ⁻¹) in a case where the relation is satisfied, where s₃ and w₃are a first component and a second component of the information set readfrom said third list storage part, respectively, and t₄, s₄ and w₄ are afirst component, a second component and a third component of theinformation set read from said fourth list storage part, respectively,and said calculating apparatus comprises: a first output informationcalculating part that is capable of calculating θ(g₁, h₁) using g₁ andh₁ received from said requesting apparatus and outputs the calculationresult as said z₁; a second output information calculating part that iscapable of calculating θ(g₂, h₂) using g₂ and h₂ received from saidrequesting apparatus and outputs the calculation result as said z₂; athird output information calculating part that is capable of calculatingθ(g₃, h₃) using g₃ and h₃ received from said requesting apparatus andoutputs the calculation result as said z₃; and a fourth outputinformation calculating part that is capable of calculating θ(g₄, h₄)using g₄ and h₄ received from said requesting apparatus and outputs thecalculation result as said z₄, where G, H and F are cyclic groups, a mapθ: G×H→F is a bi-homomorphism, g is an element of the group G, h is anelement of the group H, K_(G) is an order of the group G, K_(H) is anorder of the group H, μ_(g) is a generator of the group G, μ_(h) is agenerator of the group H, ν=μ_(g), μ_(g)), k is a security parameterthat is a natural number, and K=2^(k).
 9. The proxy calculation systemaccording to claim 8, wherein said first input information calculatingpart calculates first input information g₁=g_(r1), said fist listinformation calculating part calculates r₁r₂ using said r₁ and said r₂,and said first list storage part stores an information set (r₁r₂, z₁)composed of said calculated r₁r₂ and z₁εF received from said calculatingapparatus.
 10. The proxy calculation system according to claim 8 or 9,wherein said sixth input information calculating part calculates sixthinput information h₃=h^(r7), said third list information calculatingpart calculates r₆r₇ using said r₆ and said r₇, and said third liststorage part stores an information set (r₆r₇, z₃) composed of saidcalculated r₆r₇ and z₃εF received from said calculating apparatus. 11.The proxy calculation system according to any one of claims 8 to 10,wherein said first determining part substitutes t₁s₂ for σ and w₂ for ν′in a case where said relation is satisfied, and said tenth random numbergenerating part calculates −r₉ ⁻¹ using said r₉ and designates thecalculation result as r₁₀.
 12. The proxy calculation system according toclaim 11, wherein said seventh random number generating part calculates−r₆ ⁻¹ using said r₆ and designates the calculation result as r₇, andsaid third list storage part stores an information set (1, z₃ν^(−r6r7))composed of 1 and said calculated z₃ν′^(−r6r7).
 13. The proxycalculation system according to any one of claims 8 to 12, wherein saidfourth random number generating part calculates −r₅ ⁻¹ using said r₅ anddesignates the calculation result as r₄.
 14. The proxy calculationsystem according to any one of claims 8 to 13, further comprising: apre-calculation part that calculates g^(d1) using said d₁, wherein saidthird input information calculating part calculates said g₂ using saidpreviously calculated g^(d1).
 15. The proxy calculation system accordingto any one of claims 8 to 14, further comprising: a pre-calculation partthat calculates h^(d2) using said d₂, wherein said eighth inputinformation calculating part calculates said h₄ using said previouslycalculated h^(d2).
 16. A proxy calculation method of calculating θ(g, h)using a result of a calculation performed by a calculating apparatus inresponse to a request from a requesting apparatus, comprising: a firstrandom number generating step in which a first random number generatingpart of said requesting apparatus generates a random number r₁ that isan integer equal to or greater than 0 and smaller than K_(G); a secondrandom number generating step in which a second random number generatingpart of said requesting apparatus generates a random number r₂ that isan integer equal to or greater than 0 and smaller than K_(H); a firstinput information calculating step in which a first input informationcalculating part of said requesting apparatus calculates first inputinformation g₁=μ_(g) ^(r1)g; a second input information calculating stepin which a second input information calculating part of said requestingapparatus calculates second input information h₁=μ_(h) ^(r2); a firstoutput information calculating step in which a first output informationcalculating part of said calculating apparatus capable of calculatingθ(g₁, h₁) using g₁ and h₁ received from said requesting apparatusoutputs the calculation result as said z₁; a first list informationcalculating step in which a first list information calculating part ofsaid requesting apparatus calculates z₁ν^(−r1r2) using z₁εF receivedfrom said calculating apparatus; a step in which a first list storagepart of said requesting apparatus stores an information set (r₂,z₁ν^(−r1r2)) composed of said random number r₂ and said calculatedz₁ν^(−r1r2); a third random number generating step in which a thirdrandom number generating part of said requesting apparatus generates auniform random number d₁ that is an integer equal to or greater than 0and smaller than K; a fourth random number generating step in which afourth random number generating part of said requesting apparatusgenerates a uniform random number r₄ that is an integer equal to orgreater than 0 and smaller than K_(G); a fifth random number generatingstep in which a fifth random number generating part of said requestingapparatus generates a uniform random number r₅ that is an integer equalto or greater than 0 and smaller than K_(H); a third input informationcalculating step in which a third input information calculating part ofsaid requesting apparatus calculates third input information g₂=μ_(g)^(r4)g^(d1); a fourth input information calculating step in which afourth input information calculating part of said requesting apparatuscalculates fourth input information h₂=μ_(h) ^(r5); a second outputinformation calculating step in which a second output informationcalculating part of said calculating apparatus capable of calculatingθ(g₂, h₂) using g₂ and h₂ received from said requesting apparatusoutputs the calculation result as said z₂; a second list informationcalculating step in which a second list information calculating part ofsaid requesting apparatus calculates z₂ν^(−r4r5) using z₂εF receivedfrom said calculating apparatus; a step in which a second list storagepart of said requesting apparatus stores an information set (d₁, r₅,z₂ν^(−r4r5)) composed of said d₁, said r₅ and said calculatedz₂ν^(−r4r5). a first determination step in which a first determiningpart of said requesting apparatus determines whether or not theinformation set read from said first list storage part and theinformation set read from said second list storage part satisfy arelation (w₁)̂(t₂s₂s₁ ⁻¹)=w₂, and substitutes s₁ for σ and w₁ for ν′ in acase where the relation is satisfied, where s₁ and w₁ are a firstcomponent and a second component of the information set read from saidfirst list storage part, respectively, and t₂, s₂ and w₂ are a firstcomponent, a second component and a third component of the informationset read from said second list storage part, respectively; a sixthrandom number generating step in which a sixth random number generatingpart of said requesting apparatus generates a uniform random number r₆that is an integer equal to or greater than 0 and smaller than K_(G); aseventh random number generating step in which a seventh random numbergenerating part of said requesting apparatus generates a uniform randomnumber r₇ that is an integer equal to or greater than 0 and smaller thanK_(H); a fifth input information calculating step in which a fifth inputinformation calculating part of said requesting apparatus calculatesfifth input information g₃=g^(r6); a sixth input information calculatingstep in which a sixth input information calculating part of saidrequesting apparatus calculates sixth input information h₃=μ_(h)^(r7σ)h; a third output information calculating step in which a thirdoutput information calculating part of said calculating apparatuscapable of calculating θ(g₃, h₃) using g₃ and h₃ received from saidrequesting apparatus outputs the calculation result as said z₃; a thirdlist information calculating step in which a third list informationcalculating part of said requesting apparatus calculates z₃ν′^(−r6r7)using z₃εF received from said calculating apparatus; a step in which athird list storage part of said requesting apparatus stores aninformation set (r₆, z₃ν′^(−r6r7)) composed of said r₆ and saidcalculated z₃ν^(−r6r7); an eighth random number generating step in whichan eighth random number generating part of said requesting apparatusgenerates a uniform random number d₂ that is an integer equal to orgreater than 0 and smaller than K; a ninth random number generating stepin which a ninth random number generating part of said requestingapparatus generates a uniform random number r₉ that is an integer equalto or greater than 0 and smaller than K_(G); a tenth random numbergenerating step in which a tenth random number generating part of saidrequesting apparatus generates a uniform random number r₁₀ that is aninteger equal to or greater than 0 and smaller than K_(H); a seventhinput information calculating step in which a seventh input informationcalculating part of said requesting apparatus calculates seventh inputinformation g₄=μ_(g) ^(r9); an eighth input information calculating stepin which an eighth input information calculating part of said requestingapparatus calculates eighth input information h₄=μ_(h) ^(r10σ)h^(d2); afourth output information calculating step in which a fourth outputinformation calculating part of said calculating apparatus capable ofcalculating θ(g₄, h₄) using g₄ and h₄ received from said requestingapparatus outputs the calculation result as said z₄, a fourth listinformation calculating step in which a fourth list informationcalculating part of said requesting apparatus calculates z₄ν′^(−r9r10)using z₄εF received from said calculating apparatus; a step in which afourth list storage part of said requesting apparatus stores aninformation set (d₂, r₉, z₄ν′^(−r9r10)) composed of said d₂, said r₉ andsaid calculated z₄ν′^(−r9r10), and a second determination step in whicha second determining part of said requesting apparatus determineswhether or not the information set read from said third list storagepart and the information set read from said fourth list storage partsatisfy a relation (w₃)̂(t₄s₄s₃ ⁻¹)=w₄, and outputs (w₃)̂(s₃ ⁻¹) in a casewhere the relation is satisfied, where s₃ and w₃ are a first componentand a second component of the information set read from said third liststorage part, respectively, and t₄, s₄ and w₄ are a first component, asecond component and a third component of the information set read fromsaid fourth list storage part, respectively, where G, H and F are cyclicgroups, a map ν: G×H→F is a bi-homomorphism, g is an element of thegroup G, h is an element of the group H, K_(G) is an order of the groupG, K_(H) is an order of the group H, μ_(g) is a generator of the groupG, μ_(h) is a generator of the group H, ν=θ(μ_(g), μ_(g)), k is asecurity parameter that is an integer, and K=2^(k).
 17. A requestingapparatus in a proxy calculation system that calculates θ(g, h) using aresult of a calculation performed by a calculating apparatus in responseto a request from the requesting apparatus, comprising: a first randomnumber generating part that generates a random number r₁ that is aninteger equal to or greater than 0 and smaller than K_(G); a secondrandom number generating part that generates a random number r₂ that isan integer equal to or greater than 0 and smaller than K_(H); a firstinput information calculating part that calculates first inputinformation g₁=μ_(g) ^(r1)g; a second input information calculating partthat calculates second input information h₁=μ_(h) ^(r2); a first listinformation calculating part that calculates z₁ν^(−r1r2) using z₁εFreceived from said calculating apparatus; a first list storage part thatstores an information set (r₂, z₁ν^(−r1r2)) composed of said randomnumber r₂ and said calculated z₁ν^(−r1r2); a third random numbergenerating part that generates a uniform random number d₁ that is aninteger equal to or greater than 0 and smaller than K; a fourth randomnumber generating part that generates a uniform random number r₄ that isan integer equal to or greater than 0 and smaller than K_(G); a fifthrandom number generating part that generates a uniform random number r₅that is an integer equal to or greater than 0 and smaller than K_(H); athird input information calculating part that calculates third inputinformation g₂=μ_(g) ^(r4)g^(d1); a fourth input information calculatingpart that calculates fourth input information h₂=μ_(h) ^(r5); a secondlist information calculating part that calculates z₂ν^(−r4r5) using z₂εFreceived from said calculating apparatus; a second list storage partthat stores an information set (d₁, r₅, z₂ν^(−r4r5)) composed of saidd₁, said r₅ and said calculated z₂ν^(−r4r5); a first determining partthat determines whether or not the information set read from said firstlist storage part and the information set read from said second liststorage part satisfy a relation (w₁)̂(t₂s₂s₁ ⁻¹)=w₂, and substitutes s₁for σ and w₁ for ν′ in a case where the relation is satisfied, where s₁and w₁ are a first component and a second component of the informationset read from said first list storage part, respectively, and t₂, s₂ andw₂ are a first component, a second component and a third component ofthe information set read from said second list storage part,respectively; a sixth random number generating part that generates auniform random number r₆ that is an integer equal to or greater than 0and smaller than K_(G); a seventh random number generating part thatgenerates a uniform random number r₇ that is an integer equal to orgreater than 0 and smaller than K_(H); a fifth input informationcalculating part that calculates fifth input information g₃=g^(r6); asixth input information calculating part that calculates sixth inputinformation h₃=μ_(h) ^(r7σ)h; a third list information calculating partthat calculates z₃ν^(−r6r7) using z₃εF received from said calculatingapparatus; a third list storage part that stores an information set (r₆,z₃ν′^(−r6r7)) composed of said r₆ and said calculated z₃ν′^(−r6r7); aneighth random number generating part that generates a uniform randomnumber d₂ that is an integer equal to or greater than 0 and smaller thanK; a ninth random number generating part that generates a uniform randomnumber r₉ that is an integer equal to or greater than 0 and smaller thanK_(G); a tenth random number generating part that generates a uniformrandom number r₁₀ that is an integer equal to or greater than 0 andsmaller than K_(H); a seventh input information calculating part thatcalculates seventh input information g₄=μ_(g) ^(r9); an eighth inputinformation calculating part that calculates eighth input informationh₄=μ_(h) ^(r10σ)h^(d2); a fourth list information calculating part thatcalculates z₄ν′^(−r9r10) using z₄εF received from said calculatingapparatus; a fourth list storage part that stores an information set(d₂, r₉, z₄ν′^(−r9r10)) composed of said d₂, said r₉ and said calculatedz₄ν′^(−r9r10); and a second determining part that determines whether ornot the information set read from said third list storage part and theinformation set read from said fourth list storage part satisfy arelation (w₃)̂(t₄s₄s₃ ⁻¹)=w₄, and outputs (w₃)̂(s₃ ⁻¹) in a case where therelation is satisfied, where s₃ and w₃ are a first component and asecond component of the information set read from said third liststorage part, respectively, and t₄, s₄ and w₄ are a first component, asecond component and a third component of the information set read fromsaid fourth list storage part, respectively, where G, H and F are cyclicgroups, a map θ: G×H→F is a bi-homomorphism, g is an element of thegroup G, h is an element of the group H, K_(G) is an order of the groupG, K_(H) is an order of the group H, μ_(g) is a generator of the groupG, μ_(h) is a generator of the group H, ν=θ(μ_(g), μ_(g)), k is asecurity parameter that is a natural number, and K=2^(k).
 18. A programthat makes a computer function as each part of a requesting apparatusaccording to claim 7 or
 17. 19. A computer-readable recording medium inwhich the program according to claim 18 is recorded.